--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/MozillaFirefox/MozillaFirefox.changes Fri Oct 01 12:00:20 2021 +0200
@@ -0,0 +1,8585 @@
+-------------------------------------------------------------------
+Thu Sep 30 10:23:09 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- allow to override wayland detection by defining MOZ_ENABLE_WAYLAND
+ explicitely as 0 or 1
+- fix aarch64 build by updating constraints
+- add mozilla-bmo1725828.patch to fix widevine (bsc#1190842)
+
+-------------------------------------------------------------------
+Sat Sep 25 10:10:56 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de>
+
+- Mozilla Firefox 92.0.1
+ * Fixed: Fixes an issue where audio playback was not working on
+ some Linux systems (bmo#1730499)
+ * Fixed: Fixes issues with the findbar close button on
+ different operating systems (bmo#1728368)
+
+-------------------------------------------------------------------
+Mon Sep 6 10:16:28 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 92.0
+ * More secure connections: Firefox can now automatically upgrade to
+ HTTPS using HTTPS RR as Alt-Svc headers
+ * Full-range color levels are now supported for video playback on
+ many systems
+ MFSA 2021-38 (bsc#1190269)
+ * CVE-2021-29993 (bmo#1708544, bmo#1708767, bmo#1712240,
+ bmo#1712242, bmo#1729259)
+ Handling custom intents could lead to crashes and UI spoofs
+ * CVE-2021-38491 (bmo#1551886)
+ Mixed-Content-Blocking was unable to check opaque origins
+ * CVE-2021-38492 (bmo#1721107)
+ Navigating to `mk:` URL scheme could load Internet Explorer
+ * CVE-2021-38493 (bmo#1723391, bmo#1724101, bmo#1724107)
+ Memory safety bugs fixed in Firefox 92, Firefox ESR 78.14 and
+ Firefox ESR 91.1
+ * CVE-2021-38494 (bmo#1723920, bmo#1725638)
+ Memory safety bugs fixed in Firefox 92
+- updated appdata
+- remove mozilla-disable-wasm-emulate-arm-unaligned-fp-access.patch
+ (does not apply anymore; unclear if obsolete)
+- bring back mozilla-silence-no-return-type.patch and
+ run post-build-checks everywhere again
+- requires NSS 3.69.1
+
+-------------------------------------------------------------------
+Tue Aug 31 00:33:39 UTC 2021 - Atri Bhattacharya <badshah400@gmail.com>
+
+- Add mozilla-bmo1708709.patch: On [wayland] popup can be wrongly
+ repositioned due to rounding errors when font scaling != 1
+ (bmo#1708709); patch taken from upstream bug report and rebased
+ to apply cleanly against current version.
+
+-------------------------------------------------------------------
+Sun Aug 29 14:45:29 UTC 2021 - Martin Liška <mliska@suse.cz>
+
+- Bump using with GCC (tested locally).
+
+-------------------------------------------------------------------
+Fri Aug 27 22:47:48 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de>
+
+- Mozilla Firefox 91.0.2:
+ * Fixed: Firefox no longer clears authentication data when
+ purging trackers, to avoid repeatedly prompting for a
+ password (bmo#1721084)
+
+-------------------------------------------------------------------
+Wed Aug 18 06:34:01 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 91.0.1
+ * Fixed an issue causing buttons on the tab bar to be resized when
+ loading certain websites (bmo#1704404)
+ * Fixed an issue which caused tabs from private windows to be
+ visible in non-private windows when viewing switch-to-tab results
+ in the address bar panel (bmo#1720369)
+ * Various stability fixes
+ MFSA 2021-37 (bsc#1189547)
+ * CVE-2021-29991 (bmo#1724896)
+ Header Splitting possible with HTTP/3 Responses
+
+-------------------------------------------------------------------
+Mon Aug 9 14:55:22 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 91.0
+ MFSA 2021-33 (bsc#1188891)
+ * CVE-2021-29986 (bmo#1696138)
+ Race condition when resolving DNS names could have led to
+ memory corruption
+ * CVE-2021-29981 (bmo#1707774)
+ Live range splitting could have led to conflicting
+ assignments in the JIT
+ * CVE-2021-29988 (bmo#1717922)
+ Memory corruption as a result of incorrect style treatment
+ * CVE-2021-29983 (bmo#1719088)
+ Firefox for Android could get stuck in fullscreen mode
+ * CVE-2021-29984 (bmo#1720031)
+ Incorrect instruction reordering during JIT optimization
+ * CVE-2021-29980 (bmo#1722204)
+ Uninitialized memory in a canvas object could have led to
+ memory corruption
+ * CVE-2021-29987 (bmo#1716129)
+ Users could have been tricked into accepting unwanted
+ permissions on Linux
+ * CVE-2021-29985 (bmo#1722083)
+ Use-after-free media channels
+ * CVE-2021-29982 (bmo#1715318)
+ Single bit data leak due to incorrect JIT optimization and
+ type confusion
+ * CVE-2021-29989 (bmo#1662676, bmo#1666184, bmo#1719178,
+ bmo#1719998, bmo#1720568)
+ Memory safety bugs fixed in Firefox 91 and Firefox ESR 78.13
+ * CVE-2021-29990 (bmo#1544190, bmo#1716481, bmo#1717778,
+ bmo#1719319, bmo#1722073)
+ Memory safety bugs fixed in Firefox 91
+- requires
+ * rustc/cargo >= 1.51
+ * NSPR >= 4.32
+ * NSS >= 3.68
+- force-disable webrender on BE platforms
+
+-------------------------------------------------------------------
+Sat Jul 24 07:15:54 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de>
+
+- Mozilla Firefox 90.0.2:
+ * Changed: Updates to support DoH Canada rollout (bmo#1713036)
+ * Fixed: Fixed truncated output when printing (bmo#1720621)
+ * Fixed: Fixed menu styling on some Gtk themes (bmo#1720441,
+ bmo#1720874)
+
+-------------------------------------------------------------------
+Mon Jul 19 20:08:56 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de>
+
+- Mozilla Firefox 90.0.1 (boo#1188480):
+ * Fixed: Fixed busy looping processing some HTTP3 responses
+ (bmo#1720079)
+ * Fixed: Fixed transient errors authenticating with some smart
+ cards (bmo#1715325)
+ * Fixed: Fixed a rare crash on shutdown (bmo#1707057)
+ * Fixed: Fixed a race on startup that caused about:support to
+ end up empty after upgrade (bmo#1717894, boo#1188330)
+
+-------------------------------------------------------------------
+Sun Jul 11 08:53:02 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 90.0
+ MFSA 2021-28 (bsc#1188275)
+ * CVE-2021-29970 (bmo#1709976)
+ Use-after-free in accessibility features of a document
+ * CVE-2021-29971 (bmo#1713638)
+ Granted permissions only compared host; omitting scheme and
+ port on Android
+ * CVE-2021-30547 (bmo#1715766)
+ Out of bounds write in ANGLE
+ * CVE-2021-29972 (bmo#1696816)
+ Use of out-of-date library included use-after-free
+ vulnerability
+ * CVE-2021-29973 (bmo#1701932)
+ Password autofill on HTTP websites was enabled without user
+ interaction on Android
+ * CVE-2021-29974 (bmo#1704843)
+ HSTS errors could be overridden when network partitioning was
+ enabled
+ * CVE-2021-29975 (bmo#1713259)
+ Text message could be overlaid on top of another website
+ * CVE-2021-29976 (bmo#1700895, bmo#1703334, bmo#1706910,
+ bmo#1711576, bmo#1714391)
+ Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12
+ * CVE-2021-29977 (bmo#1665836, bmo#1686138, bmo#1704316,
+ bmo#1706314, bmo#1709931, bmo#1712084, bmo#1712357,
+ bmo#1714066)
+ Memory safety bugs fixed in Firefox 90
+- requires
+ NSPR 4.31
+ NSS 3.66
+- Gtk2 support removed (was only for Flash plugin before)
+
+-------------------------------------------------------------------
+Wed Jun 23 16:54:20 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de>
+
+- Mozilla Firefox 89.0.2 (boo#1187648):
+ * Fix occasional hangs with Software WebRender on Linux (bmo#1708224)
+
+-------------------------------------------------------------------
+Sat Jun 19 09:00:20 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de>
+
+- Mozilla Firefox 89.0.1 (boo#1187475):
+ * Updated translations, including full Spanish (Mexico)
+ localization and other improvements (bmo#1714946)
+ * Fix various font related regressions (bmo#1694174)
+ * Linux: Fix performance and stability regressions with
+ WebRender (bmo#1715895, bmo#1715902)
+ * Enterprise: Fix for the `DisableDeveloperTools` policy not
+ having effect anymore (bmo#1715777)
+ * Linux: Fix broken scrollbars on some GTK themes (bmo#1714103)
+ * Various stability fixes
+
+-------------------------------------------------------------------
+Sat May 29 20:55:56 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 89.0
+ * UI redesign
+ * The Event Timing API is now supported
+ * The CSS forced-colors media query is now supported
+ MFSA 2021-23 (bsc#1186696)
+ * CVE-2021-29965 (bmo#1709257)
+ Password Manager on Firefox for Android susceptible to domain
+ spoofing
+ * CVE-2021-29960 (bmo#1675965)
+ Filenames printed from private browsing mode incorrectly
+ retained in preferences
+ * CVE-2021-29961 (bmo#1700235)
+ Firefox UI spoof using `<select>` elements and CSS scaling
+ * CVE-2021-29963 (bmo#1705068)
+ Shared cookies for search suggestions in private browsing mode
+ * CVE-2021-29964 (bmo#1706501)
+ Out of bounds-read when parsing a `WM_COPYDATA` message
+ * CVE-2021-29959 (bmo#1395819)
+ Devices could be re-enabled without additional permission prompt
+ * CVE-2021-29962 (bmo#1701673)
+ No rate-limiting for popups on Firefox for Android
+ * CVE-2021-29967 (bmo#1602862, bmo#1703191, bmo#1703760,
+ bmo#1704722, bmo#1706041)
+ Memory safety bugs fixed in Firefox 89 and Firefox ESR 78.11
+ * CVE-2021-29966 (bmo#1660307, bmo#1686154, bmo#1702948, bmo#1708124)
+ Memory safety bugs fixed in Firefox 89
+- require
+ NSS >= 3.64
+ rust-cbindgen >= 0.19.0
+- do not rely on nodejs10 packagename anymore
+- updated mozilla.keyring
+- switched TW/x86_64 to clang as the last platform due to
+ https://bugs.gentoo.org/792705
+- but LTO with clang is broken in TW so disable LTO for it
+ https://bugs.llvm.org/show_bug.cgi?id=47872
+
+-------------------------------------------------------------------
+Thu May 6 13:40:10 UTC 2021 - Guillaume GARDET <guillaume.gardet@opensuse.org>
+
+- Relax RAM and disk constraints for aarch64
+
+-------------------------------------------------------------------
+Wed May 5 15:13:20 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de>
+
+- Mozilla Firefox 88.0.1
+ * Fixed: Resolved an issue caused by a recent Widevine plugin
+ update which prevented some purchased video content from
+ playing correctly (bmo#1705138)
+ * Fixed: Fixed corruption of videos playing on Twitter or
+ WebRTC calls on some Gen6 Intel graphics chipsets
+ (bmo#1708937)
+ * Fixed: Fixed menulists in Preferences being unreadable for
+ users with High Contrast Mode enabled (bmo#1706496)
+ MFSA 2021-20 (bsc#1185633)
+ * CVE-2021-29952 (bmo#1704227)
+ Race condition in Web Render Components
+- devel package: move macros to /usr/lib/rpm/macros.d (boo#1185658)
+
+-------------------------------------------------------------------
+Sun May 2 12:03:26 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- add compatibility for libavcodec58_134
+
+-------------------------------------------------------------------
+Sun Apr 18 09:01:32 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 88.0
+ * New: PDF forms now support JavaScript embedded in PDF files.
+ Some PDF forms use JavaScript for validation and other
+ interactive features
+ * New: Print updates: Margin units are now localized
+ * New: Smooth pinch-zooming using a touchpad is now supported
+ on Linux
+ * New: To protect against cross-site privacy leaks, Firefox now
+ isolates window.name data to the website that created it.
+ Learn more
+ * Changed: Firefox will not prompt for access to your
+ microphone or camera if you’ve already granted access to the
+ same device on the same site in the same tab within the past
+ 50 seconds. This new grace period reduces the number of times
+ you’re prompted to grant device access
+ * Changed: The ‘Take a Screenshot’ feature was removed from the
+ Page Actions menu in the url bar. To take a screenshot,
+ right-click to open the context menu. You can also add a
+ screenshots shortcut directly to your toolbar via the
+ Customize menu. Open the Firefox menu and select Customize…
+ * Changed: FTP support has been disabled, and its full removal
+ is planned for an upcoming release. Addressing this security
+ risk reduces the likelihood of an attack while also removing
+ support for a non-encrypted protocol
+ * Developer: Introduced a new toggle button in the Network
+ panel for switching between JSON formatted HTTP response and
+ raw data (as received over the wire).
+ !enter image description here
+ * Enterprise: Various bug fixes and new policies have been
+ implemented in the latest version of Firefox. You can see
+ more details in the Firefox for Enterprise 88 Release Notes.
+ * Fixed: Screen readers no longer incorrectly read content that
+ websites have visually hidden, as in the case of articles in
+ the Google Help panel
+ MFSA 2021-16 (bsc#1184960)
+ * CVE-2021-23994 (bmo#1699077)
+ Out of bound write due to lazy initialization
+ * CVE-2021-23995 (bmo#1699835)
+ Use-after-free in Responsive Design Mode
+ * CVE-2021-23996 (bmo#1701834)
+ Content rendered outside of webpage viewport
+ * CVE-2021-23997 (bmo#1701942)
+ Use-after-free when freeing fonts from cache
+ * CVE-2021-23998 (bmo#1667456)
+ Secure Lock icon could have been spoofed
+ * CVE-2021-23999 (bmo#1691153)
+ Blob URLs may have been granted additional privileges
+ * CVE-2021-24000 (bmo#1694698)
+ requestPointerLock() could be applied to a tab different from
+ the visible tab
+ * CVE-2021-24001 (bmo#1694727)
+ Testing code could have enabled session history manipulations
+ by a compromised content process
+ * CVE-2021-24002 (bmo#1702374)
+ Arbitrary FTP command execution on FTP servers using an
+ encoded URL
+ * CVE-2021-29945 (bmo#1700690)
+ Incorrect size computation in WebAssembly JIT could lead to
+ null-reads
+ * CVE-2021-29944 (bmo#1697604)
+ HTML injection vulnerability in Firefox for Android's Reader View
+ * CVE-2021-29946 (bmo#1698503)
+ Port blocking could be bypassed
+ * CVE-2021-29947 (bmo#1651449, bmo#1674142, bmo#1693476,
+ bmo#1696886, bmo#1700091)
+ Memory safety bugs fixed in Firefox 88
+- requires
+ * NSPR 4.30
+ * NSS 3.63.1
+- align wayland support logic
+
+-------------------------------------------------------------------
+Sat Mar 27 10:40:46 UTC 2021 - Manfred Hollstein <manfred.h@gmx.net>
+
+- Switch to clang_build globally; just on TW/x86_64 it does not work
+ due to unreolved externals `__rust_probestack' - disable clang_build
+ then.
+- useccache: Add conditionals to enable/disable ccache.
+
+-------------------------------------------------------------------
+Tue Mar 23 16:42:19 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 87.0
+ * requires NSS 3.62
+ * removed obsolete BigEndian ICU build workaround
+ * rebased patches
+ MFSA 2021-10 (bsc#1183942)
+ * CVE-2021-23981 (bmo#1692832)
+ Texture upload into an unbound backing buffer resulted in an
+ out-of-bound read
+ * CVE-2021-23982 (bmo#1677046)
+ Internal network hosts could have been probed by a malicious
+ webpage
+ * CVE-2021-23983 (bmo#1692684)
+ Transitions for invalid ::marker properties resulted in memory
+ corruption
+ * CVE-2021-23984 (bmo#1693664)
+ Malicious extensions could have spoofed popup information
+ * CVE-2021-23985 (bmo#1659129)
+ Devtools remote debugging feature could have been enabled
+ without indication to the user
+ * CVE-2021-23986 (bmo#1692623)
+ A malicious extension could have performed credential-less
+ same origin policy violations
+ * CVE-2021-23987 (bmo#1513519, bmo#1683439, bmo#1690169,
+ bmo#1690718)
+ Memory safety bugs fixed in Firefox 87 and Firefox ESR 78.9
+ * CVE-2021-23988 (bmo#1684994, bmo#1686653)
+ Memory safety bugs fixed in Firefox 87
+
+-------------------------------------------------------------------
+Tue Mar 16 14:26:35 UTC 2021 - Martin Liška <mliska@suse.cz>
+
+- Set memory limits for DWZ to 4x.
+
+-------------------------------------------------------------------
+Sat Mar 13 08:23:06 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de>
+
+- Mozilla Firefox 86.0.1
+ * Fixed: Fixed an issue on Apple Silicon machines that caused
+ Firefox to be unresponsive after system sleep (bmo#1682713)
+ * Fixed: Fixed an issue causing windows to gain or lose focus
+ unexpectedly (bmo#1694927)
+ * Fixed: Fixed truncation of date and time widgets due to
+ incorrect width calculation (bmo#1695578)
+ * Fixed: Fixed an issue causing unexpected behavior with
+ extensions managing tab groups (bmo#1694699)
+ * Fixed: Fixed a frequent Linux crash on browser launch
+ (bmo#1694670)
+
+-------------------------------------------------------------------
+Sun Feb 21 18:14:12 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 86.0
+ * requires NSS >= 3.61
+ * requires rust-cbindgen >= 0.16.0
+ * Firefox now supports simultaneously watching multiple videos in
+ Picture-in-Picture.
+ * Total Cookie Protection to Strict Mode
+ * https://www.mozilla.org/en-US/firefox/86.0/releasenotes
+ MSFA 2021-07 (bsc#1182614)
+ * CVE-2021-23969 (bmo#1542194)
+ Content Security Policy violation report could have contained
+ the destination of a redirect
+ * CVE-2021-23970 (bmo#1681724)
+ Multithreaded WASM triggered assertions validating separation
+ of script domains
+ * CVE-2021-23968 (bmo#1687342)
+ Content Security Policy violation report could have contained
+ the destination of a redirect
+ * CVE-2021-23974 (bmo#1528997, bmo#1683627)
+ noscript elements could have led to an HTML Sanitizer bypass
+ * CVE-2021-23971 (bmo#1678545)
+ A website's Referrer-Policy could have been be overridden,
+ potentially resulting in the full URL being sent as a Referrer
+ * CVE-2021-23976 (bmo#1684627)
+ Local spoofing of web manifests for arbitrary pages in
+ Firefox for Android
+ * CVE-2021-23977 (bmo#1684761)
+ Malicious application could read sensitive data from Firefox
+ for Android's application directories
+ * CVE-2021-23972 (bmo#1683536)
+ HTTP Auth phishing warning was omitted when a redirect is
+ cached
+ * CVE-2021-23975 (bmo#1685145)
+ about:memory Measure function caused an incorrect pointer
+ operation
+ * CVE-2021-23973 (bmo#1690976)
+ MediaError message property could have leaked information
+ about cross-origin resources
+ * CVE-2021-23978 (bmo#1682928, bmo#1687391, bmo#1687597, bmo#786797)
+ Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8
+ * CVE-2021-23979 (bmo#1663222, bmo#1666607, bmo#1672120, bmo#1678463,
+ bmo#1678927, bmo#1679560, bmo#1681297, bmo#1681684, bmo#1683490,
+ bmo#1684377, bmo#1684902)
+ Memory safety bugs fixed in Firefox 86
+- updated create-tar.sh (bsc#1182357)
+- removed obsolete mozilla-bmo1554971.patch
+- remove buildsymbols subpackage
+ * we haven't done anything with it for years
+ * mozilla is collecting those from our debuginfo packages
+ * would require a local dump_syms tool
+
+-------------------------------------------------------------------
+Wed Feb 17 18:40:41 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de>
+
+- Mozilla Firefox 85.0.2
+ * Fixed: Fixed a deadlock during startup (bmo#1679933)
+
+-------------------------------------------------------------------
+Wed Feb 17 11:19:01 UTC 2021 - Michel Normand <normand@linux.vnet.ibm.com>
+
+- Use %limit_build macros for PowerPC to avoid oom build failure
+
+-------------------------------------------------------------------
+Tue Feb 9 09:05:26 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de>
+
+- Mozilla Firefox 85.0.1
+ MFSA 2021-06 (bsc#1181848)
+ * MOZ-2021-0001 (bmo#1676636)
+ Buffer overflow in depth pitch calculations for compressed
+ textures
+ * Fixed: Avoid printing an extra blank page at the end of some
+ documents (bmo#1689789).
+ * Fixed: Fixed a browser crash in case of unexpected Cache API
+ state (bmo#1684838).
+
+-------------------------------------------------------------------
+Sun Jan 24 11:53:58 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 85.0
+ * Adobe Flash is completely history
+ * supercookie protection
+ * new bookmark handling and features
+ MFSA 2021-03 (bsc#1181414)
+ * CVE-2021-23953 (bmo#1683940)
+ Cross-origin information leakage via redirected PDF requests
+ * CVE-2021-23954 (bmo#1684020)
+ Type confusion when using logical assignment operators in
+ JavaScript switch statements
+ * CVE-2021-23955 (bmo#1684837)
+ Clickjacking across tabs through misusing requestPointerLock
+ * CVE-2021-23956 (bmo#1338637)
+ File picker dialog could have been used to disclose a
+ complete directory
+ * CVE-2021-23957 (bmo#1584582)
+ Iframe sandbox could have been bypassed on Android via the
+ intent URL scheme
+ * CVE-2021-23958 (bmo#1642747)
+ Screen sharing permission leaked across tabs
+ * CVE-2021-23959 (bmo#1659035)
+ Cross-Site Scripting in error pages on Firefox for Android
+ * CVE-2021-23960 (bmo#1675755)
+ Use-after-poison for incorrectly redeclared JavaScript
+ variables during GC
+ * CVE-2021-23961 (bmo#1677940)
+ More internal network hosts could have been probed by a
+ malicious webpage
+ * CVE-2021-23962 (bmo#1677194)
+ Use-after-poison in
+ <code>nsTreeBodyFrame::RowCountChanged</code>
+ * CVE-2021-23963 (bmo#1680793)
+ Permission prompt inaccessible after asking for additional
+ permissions
+ * CVE-2021-23964 (bmo#1662507, bmo#1666285, bmo#1673526, bmo#1674278,
+ bmo#1674835, bmo#1675097, bmo#1675844, bmo#1675868, bmo#1677590,
+ bmo#1677888, bmo#1680410, bmo#1681268, bmo#1682068, bmo#1682938,
+ bmo#1683736, bmo#1685260, bmo#1685925)
+ Memory safety bugs fixed in Firefox 85 and Firefox ESR 78.7
+ * CVE-2021-23965 (bmo#1670378, bmo#1673555, bmo#1676812, bmo#1678582,
+ bmo#1684497)
+ Memory safety bugs fixed in Firefox 85
+- requires NSS 3.60.1
+- requires rust 1.47
+- remove obsolete mozilla-pipewire-0-3.patch
+
+-------------------------------------------------------------------
+Mon Jan 11 18:02:01 UTC 2021 - Matthias Mailänder <mailaender@opensuse.org>
+
+- Fix AppStream screenshot links
+
+-------------------------------------------------------------------
+Thu Jan 7 17:11:43 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de>
+
+- Mozilla Firefox 84.0.2
+ MFSA 2021-01 (bsc#1180623)
+ * CVE-2020-16044 (bmo#1683964)
+ Use-after-free write when handling a malicious COOKIE-ECHO
+ SCTP chunk
+
+-------------------------------------------------------------------
+Sun Dec 27 09:52:50 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 84.0.1
+ * Fixed problems loading secure websites and crashes for users
+ with certain third-party PKCS11 modules and smartcards installed
+ (bmo#1682881) (fixed in NSS 3.59.1)
+ * Fixed a bug causing some Unity JS games to not load on Apple
+ Silicon devices due to improper detection of the OS version
+ (bmo#1680516)
+- requires NSS 3.59.1
+
+-------------------------------------------------------------------
+Sun Dec 13 18:18:58 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 84.0
+ * Firefox 84 is the final release to support Adobe Flash
+ * WebRender is enabled by default when run on GNOME-based X11
+ Linux desktops
+ MFSA 2020-54 (bsc#1180039))
+ * CVE-2020-16042 (bmo#1679003)
+ Operations on a BigInt could have caused uninitialized memory
+ to be exposed
+ * CVE-2020-26971 (bmo#1663466)
+ Heap buffer overflow in WebGL
+ * CVE-2020-26972 (bmo#1671382)
+ Use-After-Free in WebGL
+ * CVE-2020-26973 (bmo#1680084)
+ CSS Sanitizer performed incorrect sanitization
+ * CVE-2020-26974 (bmo#1681022)
+ Incorrect cast of StyleGenericFlexBasis resulted in a heap
+ use-after-free
+ * CVE-2020-26975 (bmo#1661071)
+ Malicious applications on Android could have induced Firefox
+ for Android into sending arbitrary attacker-specified headers
+ * CVE-2020-26976 (bmo#1674343)
+ HTTPS pages could have been intercepted by a registered
+ service worker when they should not have been
+ * CVE-2020-26977 (bmo#1676311)
+ URL spoofing via unresponsive port in Firefox for Android
+ * CVE-2020-26978 (bmo#1677047)
+ Internal network hosts could have been probed by a malicious
+ webpage
+ * CVE-2020-26979 (bmo#1641287, bmo#1673299)
+ When entering an address in the address or search bars, a
+ website could have redirected the user before they were
+ navigated to the intended url
+ * CVE-2020-35111 (bmo#1657916)
+ The proxy.onRequest API did not catch view-source URLs
+ * CVE-2020-35112 (bmo#1661365)
+ Opening an extension-less download may have inadvertently
+ launched an executable instead
+ * CVE-2020-35113 (bmo#1664831, bmo#1673589)
+ Memory safety bugs fixed in Firefox 84 and Firefox ESR 78.6
+ * CVE-2020-35114 (bmo#1607449, bmo#1640416, bmo#1656459,
+ bmo#1669914, bmo#1673567)
+ Memory safety bugs fixed in Firefox 84
+- requires
+ NSS >= 3.59
+ rust >= 1.44
+ rust-cbindgen >= 0.15.0
+- remove revert-795c8762b16b.patch and replace with mozilla-pgo.patch
+
+-------------------------------------------------------------------
+Sat Nov 21 08:12:17 UTC 2020 - Kirill Kirillov <kkirill@opensuse.org>
+
+- Add/Enable GNOME search provider
+
+-------------------------------------------------------------------
+Sun Nov 15 12:16:53 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 83.0
+ * major update for SpiderMonkey improving performance significantly
+ * optional HTTPS-Only mode
+ * more improvements
+ https://www.mozilla.org/en-US/firefox/83.0/releasenotes/
+ MFSA 2020-50 (bsc#1178824))
+ * CVE-2020-26951 (bmo#1667113)
+ Parsing mismatches could confuse and bypass security
+ sanitizer for chrome privileged code
+ * CVE-2020-26952 (bmo#1667685)
+ Out of memory handling of JITed, inlined functions could lead
+ to a memory corruption
+ * CVE-2020-16012 (bmo#1642028)
+ Variable time processing of cross-origin images during
+ drawImage calls
+ * CVE-2020-26953 (bmo#1656741)
+ Fullscreen could be enabled without displaying the security UI
+ * CVE-2020-26954 (bmo#1657026)
+ Local spoofing of web manifests for arbitrary pages in
+ Firefox for Android
+ * CVE-2020-26955 (bmo#1663261)
+ Cookies set during file downloads are shared between normal
+ and Private Browsing Mode in Firefox for Android
+ * CVE-2020-26956 (bmo#1666300)
+ XSS through paste (manual and clipboard API)
+ * CVE-2020-26957 (bmo#1667179)
+ OneCRL was not working in Firefox for Android
+ * CVE-2020-26958 (bmo#1669355)
+ Requests intercepted through ServiceWorkers lacked MIME type
+ restrictions
+ * CVE-2020-26959 (bmo#1669466)
+ Use-after-free in WebRequestService
+ * CVE-2020-26960 (bmo#1670358)
+ Potential use-after-free in uses of nsTArray
+ * CVE-2020-15999 (bmo#1672223)
+ Heap buffer overflow in freetype
+ * CVE-2020-26961 (bmo#1672528)
+ DoH did not filter IPv4 mapped IP Addresses
+ * CVE-2020-26962 (bmo#610997)
+ Cross-origin iframes supported login autofill
+ * CVE-2020-26963 (bmo#1314912)
+ History and Location interfaces could have been used to hang
+ the browser
+ * CVE-2020-26964 (bmo#1658865)
+ Firefox for Android's Remote Debugging via USB could have
+ been abused by untrusted apps on older versions of Android
+ * CVE-2020-26965 (bmo#1661617)
+ Software keyboards may have remembered typed passwords
+ * CVE-2020-26966 (bmo#1663571)
+ Single-word search queries were also broadcast to local
+ network
+ * CVE-2020-26967 (bmo#1665820)
+ Mutation Observers could break or confuse Firefox Screenshots
+ feature
+ * CVE-2020-26968 (bmo#1551615, bmo#1607762, bmo#1656697,
+ bmo#1657739, bmo#1660236, bmo#1667912, bmo#1671479,
+ bmo#1671923)
+ Memory safety bugs fixed in Firefox 83 and Firefox ESR 78.5
+ * CVE-2020-26969 (bmo#1623920, bmo#1651705, bmo#1667872,
+ bmo#1668876)
+ Memory safety bugs fixed in Firefox 83
+- requires
+ NSS >= 3.58
+ nodejs >= 10.22.1
+- removed obsolete mozilla-ppc-altivec_static_inline.patch
+- disable LTO on TW because of ICEs in gcc
+
+-------------------------------------------------------------------
+Mon Nov 9 10:15:52 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 82.0.3
+ MSFA 2020-49
+ * CVE-2020-26950 (bmo#1675905)
+ Write side effects in MCallGetProperty opcode not accounted for
+
+-------------------------------------------------------------------
+Mon Nov 2 09:00:13 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 82.0.2
+ * few bugfixes for introduced regressions
+
+-------------------------------------------------------------------
+Sun Nov 1 20:15:17 UTC 2020 - Kirill Kirillov <kkirill@opensuse.org>
+
+- Enable GNOME search provider
+
+-------------------------------------------------------------------
+Thu Oct 15 20:44:47 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 82.0
+ * https://www.mozilla.org/en-US/firefox/82.0/releasenotes/
+ MFSA 2020-45 (bsc#1177872)
+ * CVE-2020-15969 (bmo#1666570)
+ Use-after-free in usersctp
+ * CVE-2020-15254 (bmo#1668514)
+ Undefined behavior in bounded channel of crossbeam rust crate
+ * CVE-2020-15680 (bmo#1658881)
+ Presence of external protocol handlers could be determined
+ through image tags
+ * CVE-2020-15681 (bmo#1666568)
+ Multiple WASM threads may have overwritten each others' stub
+ table entries
+ * CVE-2020-15682 (bmo#1636654)
+ The domain associated with the prompt to open an external
+ protocol could be spoofed to display the incorrect origin
+ * CVE-2020-15683 (bmo#1576843, bmo#1656987, bmo#1660954,
+ bmo#1662760, bmo#1663439, bmo#1666140)
+ Memory safety bugs fixed in Firefox 82 and Firefox ESR 78.4
+ * CVE-2020-15684 (bmo#1653764, bmo#1661402, bmo#1662259,
+ bmo#1664257)
+ Memory safety bugs fixed in Firefox 82
+- requires
+ * NSPR 4.29
+ * NSS 3.57
+
+-------------------------------------------------------------------
+Thu Oct 1 20:00:27 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 81.0.1
+ * https://www.mozilla.org/en-US/firefox/81.0.1/releasenotes/
+- remove obsolete python2 build requires
+
+-------------------------------------------------------------------
+Wed Sep 30 18:49:10 UTC 2020 - Guillaume GARDET <guillaume.gardet@opensuse.org>
+
+- Increase disk requirements in _constraints to match current needs
+
+-------------------------------------------------------------------
+Fri Sep 18 06:22:40 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 81.0
+ * https://www.mozilla.org/en-US/firefox/81.0/releasenotes
+ MFSA 2020-42 (bsc#1176756)
+ * CVE-2020-15675 (bmo#1654211)
+ Use-After-Free in WebGL
+ * CVE-2020-15677 (bmo#1641487)
+ Download origin spoofing via redirect
+ * CVE-2020-15676 (bmo#1646140)
+ XSS when pasting attacker-controlled data into a
+ contenteditable element
+ * CVE-2020-15678 (bmo#1660211)
+ When recursing through layers while scrolling, an iterator
+ may have become invalid, resulting in a potential use-after-
+ free scenario
+ * CVE-2020-15673 (bmo#1648493, bmo#1660800)
+ Memory safety bugs fixed in Firefox 81 and Firefox ESR 78.3
+ * CVE-2020-15674 (bmo#1656063, bmo#1656064, bmo#1656067, bmo#1660293)
+ Memory safety bugs fixed in Firefox 81
+- requires
+ NSPR 4.28
+ NSS 3.56
+- removed obsolete patches
+ * mozilla-system-nspr.patch
+ * mozilla-bmo1661715.patch
+ * mozilla-silence-no-return-type.patch
+- skip post-build-checks for 15.0 and 15.1
+- add revert-795c8762b16b.patch to fix LTO builds with gcc
+ (related to bmo#1644409)
+- require python3-curses as workaround to fix i586 build
+
+-------------------------------------------------------------------
+Thu Sep 17 11:45:31 UTC 2020 - Guillaume GARDET <guillaume.gardet@opensuse.org>
+
+- Use %limit_build macro again for aarch64 and armv7, instead of
+ the new memoryperjob _constraints to use more workers
+
+-------------------------------------------------------------------
+Sat Sep 5 17:43:26 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- add mozilla-bmo1661715.patch to fix Flash plugin
+
+-------------------------------------------------------------------
+Wed Sep 2 17:11:19 UTC 2020 - Manfred Hollstein <manfred.h@gmx.net>
+
+- Mozilla Firefox 80.0.1: Bug fixes:
+ * Fixed a performance regression when encountering new intermediate
+ CA certificates (bmo#1661543)
+ * Fixed crashes possibly related to GPU resets (bmo#1627616)
+ * Fixed rendering on some sites using WebGL (bmo#1659225)
+ * Fixed the zoom-in keyboard shortcut on Japanese language builds
+ (bmo#1661895)
+ * Fixed download issues related to extensions and cookies
+ (bmo#1655190)
+- added mozilla-silence-no-return-type.patch
+
+-------------------------------------------------------------------
+Tue Aug 25 19:30:15 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- more whitelisting (/dev/random) for sandbox in relation to FIPS
+ (bsc#1174284)
+- improve langpack builds to use dedicated objdirs and make it
+ parallel again
+
+-------------------------------------------------------------------
+Sat Aug 22 06:52:01 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 80.0
+ MFSA 2020-36 (bsc#1175686)
+ * CVE-2020-15663 (bmo#1643199)
+ Downgrade attack on the Mozilla Maintenance Service could
+ have resulted in escalation of privilege
+ * CVE-2020-15664 (bmo#1658214)
+ Attacker-induced prompt for extension installation
+ * CVE-2020-12401 (bmo#1631573)
+ Timing-attack on ECDSA signature generation
+ * CVE-2020-6829 (bmo#1631583)
+ P-384 and P-521 vulnerable to an electro-magnetic side
+ channel attack on signature generation
+ * CVE-2020-12400 (bmo#1623116)
+ P-384 and P-521 vulnerable to a side channel attack on
+ modular inversion
+ * CVE-2020-15665 (bmo#1651636)
+ Address bar not reset when choosing to stay on a page after
+ the beforeunload dialog is shown
+ * CVE-2020-15666 (bmo#1450853)
+ MediaError message property leaks cross-origin response
+ status
+ * CVE-2020-15667 (bmo#1653371)
+ Heap overflow when processing an update file
+ * CVE-2020-15668 (bmo#1651520)
+ Data Race when reading certificate information
+ * CVE-2020-15670 (bmo#1651001, bmo#1651449, bmo#1653626,
+ bmo#1656957)
+ Memory safety bugs fixed in Firefox 80 and Firefox ESR 78.2
+- requires
+ * NSPR 4.27
+ * NSS 3.55
+- added mozilla-system-nspr.patch (bmo#1661096)
+- exclude ga-IE locale as it's failing to build
+- rollback parallelize locale build because it breaks bookmarks
+ (boo#1167976)
+- preserve original default bookmark file during langpack build
+ (boo#1167976)
+- add some ccache output during build
+
+-------------------------------------------------------------------
+Thu Aug 20 13:07:33 UTC 2020 - Martin Liška <mliska@suse.cz>
+
+- Use new memoryperjob _constraints instead of %limit_build macro.
+
+-------------------------------------------------------------------
+Mon Aug 10 09:19:38 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- use ccache for build
+- replace versioned RPM deps with requires_ge
+- parallelize locale build
+
+-------------------------------------------------------------------
+Thu Aug 6 14:37:16 UTC 2020 - Yunhe Guo <i@guoyunhe.me>
+
+- Change *.appdata.xml location to latest AppStream standard
+
+-------------------------------------------------------------------
+Thu Jul 23 21:00:34 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 79.0
+ MFSA 2020-30 (bsc#1174538)
+ * CVE-2020-15652 (bmo#1634872)
+ Potential leak of redirect targets when loading scripts in a worker
+ * CVE-2020-6514 (bmo#1642792)
+ WebRTC data channel leaks internal address to peer
+ * CVE-2020-15655 (bmo#1645204)
+ Extension APIs could be used to bypass Same-Origin Policy
+ * CVE-2020-15653 (bmo#1521542)
+ Bypassing iframe sandbox when allowing popups
+ * CVE-2020-6463 (bmo#1635293)
+ Use-after-free in ANGLE gl::Texture::onUnbindAsSamplerTexture
+ * CVE-2020-15656 (bmo#1647293)
+ Type confusion for special arguments in IonMonkey
+ * CVE-2020-15658 (bmo#1637745)
+ Overriding file type when saving to disk
+ * CVE-2020-15657 (bmo#1644954)
+ DLL hijacking due to incorrect loading path
+ * CVE-2020-15654 (bmo#1648333)
+ Custom cursor can overlay user interface
+ * CVE-2020-15659 (bmo#1550133, bmo#1633880, bmo#1638856,
+ bmo#1643613, bmo#1644839, bmo#1645835, bmo#1646006, bmo#1646220,
+ bmo#1646787, bmo#1649347, bmo#1650811, bmo#1651678)
+ Memory safety bugs fixed in Firefox 79
+- updated dependency requirements:
+ * mozilla-nspr >= 4.26
+ * mozilla-nss >= 3.54
+ * rust >= 1.43
+ * rust-cbindgen >= 0.14.3
+- removed obsolete patch
+ mozilla-bmo1463035.patch
+
+-------------------------------------------------------------------
+Tue Jul 21 21:31:20 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- fixed syntax issue in desktop file (boo#1174360)
+
+-------------------------------------------------------------------
+Fri Jul 17 15:07:45 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Add mozilla-libavcodec58_91.patch to link against updated
+ soversion of libavcodec (58.91) with ffmpeg >= 4.3.
+ (patch provided by Atri Bhattacharya <badshah400@gmail.com>
+- enable MOZ_USE_XINPUT2 for TW (again) (boo#1173320)
+ (Plasma 5.19.3 is now in TW)
+
+-------------------------------------------------------------------
+Sat Jul 11 11:08:06 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 78.0.2
+ * Fixed an accessibility regression in reader mode (bmo#1650922)
+ * Made the address bar more resilient to data corruption in the
+ user profile (bmo#1649981)
+ * Fixed a regression opening certain external applications (bmo#1650162)
+ MFSA 2020-28
+ * CVE pending (bmo#1644076)
+ X-Frame-Options bypass using object or embed tags
+- added desktop file actions
+- do not use XINPUT2 for the moment until Plasma 5.19.3 has landed
+ (boo#1173993)
+- rework langpack integration (boo#1173991)
+ * ship XPIs instead of directories
+ * allow addon sideloading
+ * mark signatures for langpacks non-mandatory
+ * do not autodisable user profile scopes
+- Google API key is not usable for geolocation service
+- fix pipewire support for TW (boo#1172903)
+
+-------------------------------------------------------------------
+Wed Jul 1 07:15:02 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 78.0.1
+ * Fixed an issue which could cause installed search engines to not
+ be visible when upgrading from a previous release.
+- enable MOZ_USE_XINPUT2 for TW (boo#1173320)
+
+-------------------------------------------------------------------
+Sun Jun 28 07:17:13 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 78.0
+ * startup notifications now using Gtk instead of libnotify
+ * PDF downloads now show an option to open the PDF directly in Firefox
+ * Protections Dashboard (about:protections)
+ * WebRTC not interrupted by screensaver anymore
+ * disabled TLS 1.0 and 1.1 by default
+ MFSA 2020-24 (bsc#1173576)
+ * CVE-2020-12415 (bmo#1586630)
+ AppCache manifest poisoning due to url encoded character processing
+ * CVE-2020-12416 (bmo#1639734)
+ Use-after-free in WebRTC VideoBroadcaster
+ * CVE-2020-12417 (bmo#1640737)
+ Memory corruption due to missing sign-extension for ValueTags
+ on ARM64
+ * CVE-2020-12418 (bmo#1641303)
+ Information disclosure due to manipulated URL object
+ * CVE-2020-12419 (bmo#1643874)
+ Use-after-free in nsGlobalWindowInner
+ * CVE-2020-12420 (bmo#1643437)
+ Use-After-Free when trying to connect to a STUN server
+ * CVE-2020-12402 (bmo#1631597)
+ RSA Key Generation vulnerable to side-channel attack
+ * CVE-2020-12421 (bmo#1308251)
+ Add-On updates did not respect the same certificate trust
+ rules as software updates
+ * CVE-2020-12422 (bmo#1450353)
+ Integer overflow in nsJPEGEncoder::emptyOutputBuffer
+ * CVE-2020-12423 (bmo#1642400)
+ DLL Hijacking due to searching %PATH% for a library
+ * CVE-2020-12424 (bmo#1562600)
+ WebRTC permission prompt could have been bypassed by a
+ compromised content process
+ * CVE-2020-12425 (bmo#1634738)
+ Out of bound read in Date.parse()
+ * CVE-2020-12426 (bmo#1608068, bmo#1609951, bmo#1631187, bmo#1637682)
+ Memory safety bugs fixed in Firefox 78
+- requires
+ * NSS >= 3.53.1
+ * nodejs >= 10.21
+ * Gtk+3 >= 3.14
+- removed obsolete patches
+ * mozilla-s390-bigendian.patch
+ * mozilla-bmo1634646.patch
+- Add mozilla-pipewire-0-3.patch for openSUSE >= 15.2 to build
+ WebRTC with pipewire support to enable screen sharing under
+ Wayland; also add BuildRequires: pkgconfig(libpipewire-0.3)
+ appropriately (boo#1172903).
+- adding SLE12 compatibility in spec file
+- add patches for s390x
+ * mozilla-bmo1602730.patch (bmo#1602730)
+ * mozilla-bmo1626236.patch (bmo#1626236)
+ * mozilla-bmo998749.patch (bmo#998749)
+ * mozilla-s390x-skia-gradient.patch
+- update create-tar.sh
+- Use same _constraints for ppc64 (BE) as ppc64le to avoid oom build failure
+
+-------------------------------------------------------------------
+Wed Jun 10 07:17:15 UTC 2020 - Guillaume GARDET <guillaume.gardet@opensuse.org>
+
+- Exclude armv6, since it is unbuildable since about 3 years
+
+-------------------------------------------------------------------
+Wed Jun 3 21:39:11 UTC 2020 - Andreas Stieger <andreas.stieger@gmx.de>
+
+- Mozilla Firefox 77.0.1
+ * Disable automatic selection of DNS over HTTPS providers during
+ a test to enable wider deployment in a more controlled way
+ (bmo#1642723)
+
+-------------------------------------------------------------------
+Fri May 29 11:49:36 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 77.0
+ * view and manage web certificates more easily on the new
+ about:certificate page
+ * improvements in accessibility
+ * significant improvements to JavaScript debugging
+ MFSA 2020-20 (bsc#1172402)
+ * CVE-2020-12399 (bmo#1631576)
+ Timing attack on DSA signatures in NSS library
+ (fixed with external NSS >= 3.52.1)
+ * CVE-2020-12405 (bmo#1631618)
+ Use-after-free in SharedWorkerService
+ * CVE-2020-12406 (bmo#1639590)
+ JavaScript type confusion with NativeTypes
+ * CVE-2020-12407 (bmo#1637112)
+ WebRender leaking GPU memory when using border-image CSS
+ directive
+ * CVE-2020-12408 (bmo#1623888)
+ URL spoofing when using IP addresses
+ * CVE-2020-12409 (bmo#1619305, bmo#1632717)
+ Memory safety bugs fixed in Firefox 77 and Firefox ESR 68.9
+ * CVE-2020-12411 (bmo#1620972, bmo#1625333)
+ Memory safety bugs fixed in Firefox 77
+- requires
+ * NSS >= 3.52.1
+ * rust-cbindgen >= 1.14.1
+ * clang >= 5
+- added mozilla-bmo1634646.patch as part of fixing PGO build
+ (still not working)
+
+-------------------------------------------------------------------
+Wed May 13 12:21:13 UTC 2020 - Michel Normand <normand@linux.vnet.ibm.com>
+
+- change again _constraints for ppc64le use <physicalmemory>
+ and increase limit_build in spec file to reduce max_jobs.
+
+-------------------------------------------------------------------
+Sat May 9 11:45:39 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 76.0.1
+ * Fixed a bug causing some add-ons such as Amazon Assistant to see
+ multiple onConnect events, impairing functionality (bmo#1635637)
+
+-------------------------------------------------------------------
+Fri May 1 11:59:58 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 76.0
+ * Lockwise improvements
+ * Improvements in Picture-in-Picture feature
+ * Support Audio Worklets
+ MFSA-2020-16 (bsc#1171186)
+ * CVE-2020-12387 (bmo#1545345)
+ Use-after-free during worker shutdown
+ * CVE-2020-12388 (bmo#1618911)
+ Sandbox escape with improperly guarded Access Tokens
+ * CVE-2020-12389 (bmo#1554110)
+ Sandbox escape with improperly separated process types
+ * CVE-2020-6831 (bmo#1632241)
+ Buffer overflow in SCTP chunk input validation
+ * CVE-2020-12390 (bmo#1141959)
+ Incorrect serialization of nsIPrincipal.origin for IPv6 addresses
+ * CVE-2020-12391 (bmo#1457100)
+ Content-Security-Policy bypass using object elements
+ * CVE-2020-12392 (bmo#1614468)
+ Arbitrary local file access with 'Copy as cURL'
+ * CVE-2020-12393 (bmo#1615471)
+ Devtools' 'Copy as cURL' feature did not fully escape
+ website-controlled data, potentially leading to command injection
+ * CVE-2020-12394 (bmo#1628288)
+ URL spoofing in location bar when unfocussed
+ * CVE-2020-12395 (bmo#1595886, bmo#1611482, bmo#1614704, bmo#1624098,
+ bmo#1625749, bmo#1626382, bmo#1628076, bmo#1631508)
+ Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8
+ * CVE-2020-12396 (bmo#1339601, bmo#1611938, bmo#1620488,
+ bmo#1622291, bmo#1627644)
+ Memory safety bugs fixed in Firefox 76
+- requires
+ * NSS >= 3.51.1
+ * nasm >= 2.14
+- removed obsolete patch mozilla-bmo1622013.patch
+- fix URI creation for KDE file selector integration (boo#1160331)
+
+-------------------------------------------------------------------
+Tue Apr 7 12:18:27 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 75.0
+ * https://www.mozilla.org/en-US/firefox/75.0/releasenotes
+ MFSA 2020-12 (bsc#1168874)
+ * CVE-2020-6821 (bmo#1625404)
+ Uninitialized memory could be read when using the WebGL
+ copyTexSubImage method
+ * CVE-2020-6822 (bmo#1544181)
+ Out of bounds write in GMPDecodeData when processing large images
+ * CVE-2020-6823 (bmo#1614919)
+ Malicious Extension could obtain auth codes from OAuth login flows
+ * CVE-2020-6824 (bmo#1621853)
+ Generated passwords may be identical on the same site between
+ separate private browsing sessions
+ * CVE-2020-6825 (bmo#1572541,bmo#1620193,bmo#1620203)
+ Memory safety bugs fixed in Firefox 75 and Firefox ESR 68.7
+ * CVE-2020-6826 (bmo#1613009,bmo#1613195,bmo#1616734,bmo#1617488,
+ bmo#1619229,bmo#1620719,bmo#1624897)
+ Memory safety bugs fixed in Firefox 75
+- removed obsolete patch
+ mozilla-bmo1609538.patch
+- requires
+ * rust >= 1.41
+ * rust-cbindgen >= 0.13.1
+ * mozilla-nss >= 3.51
+ * nodejs10 >= 10.19
+- fix build issue in libvpx for i586 via mozilla-bmo1622013.patch
+
+-------------------------------------------------------------------
+Mon Apr 6 11:19:24 UTC 2020 - Michel Normand <normand@linux.vnet.ibm.com>
+
+- increase _constraints memory for ppc64le
+
+-------------------------------------------------------------------
+Fri Apr 3 15:23:28 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 74.0.1
+ MFSA 2020-11 (boo#1168630)
+ * CVE-2020-6819 (bmo#1620818)
+ Use-after-free while running the nsDocShell destructor
+ * CVE-2020-6820 (bmo#1626728)
+ Use-after-free when handling a ReadableStream
+
+-------------------------------------------------------------------
+Wed Mar 25 07:30:39 UTC 2020 - Marcus Meissner <meissner@suse.com>
+
+- mozilla-sandbox-fips.patch: allow /proc/sys/crypto/fips_enabled
+ to be read, as openssl 1.1.1 FIPS aborts if it cannot access it
+ (bsc#1167132)
+
+-------------------------------------------------------------------
+Sat Mar 7 08:51:06 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 74.0
+ * https://www.mozilla.org/en-US/firefox/74.0/releasenotes/
+ MFSA 2020-08 (bsc#1166238)
+ * CVE-2020-6805 (bmo#1610880)
+ Use-after-free when removing data about origins
+ * CVE-2020-6806 (bmo#1612308)
+ BodyStream::OnInputStreamReady was missing protections against
+ state confusion
+ * CVE-2020-6807 (bmo#1614971)
+ Use-after-free in cubeb during stream destruction
+ * CVE-2020-6808 (bmo#1247968)
+ URL Spoofing via javascript: URL
+ * CVE-2020-6809 (bmo#1420296)
+ Web Extensions with the all-urls permission could access local
+ files
+ * CVE-2020-6810 (bmo#1432856)
+ Focusing a popup while in fullscreen could have obscured the
+ fullscreen notification
+ * CVE-2020-6811 (bmo#1607742)
+ Devtools' 'Copy as cURL' feature did not fully escape
+ website-controlled data, potentially leading to command injection
+ * CVE-2019-20503 (bmo#1613765)
+ Out of bounds reads in sctp_load_addresses_from_init
+ * CVE-2020-6812 (bmo#1616661)
+ The names of AirPods with personally identifiable information
+ were exposed to websites with camera or microphone permission
+ * CVE-2020-6813 (bmo#1605814)
+ @import statements in CSS could bypass the Content Security
+ Policy nonce feature
+ * CVE-2020-6814 (bmo#1592078,bmo#1604847,bmo#1608256,bmo#1612636,
+ bmo#1614339)
+ Memory safety bugs fixed in Firefox 74 and Firefox ESR 68.6
+ * CVE-2020-6815 (bmo#1181957,bmo#1557732,bmo#1557739,bmo#1611457,
+ bmo#1612431)
+ Memory and script safety bugs fixed in Firefox 74
+- requires
+ * NSPR 4.25
+ * NSS 3.50
+ * rust-cbindgen 0.13.0
+- removed obsolete patches
+ mozilla-bmo1610814.patch
+ mozilla-cubeb-noreturn.patch
+- add mozilla-bmo1609538.patch to fix wayland issues with mutter 3.36
+ (bmo#1609538, boo#1166471)
+
+-------------------------------------------------------------------
+Wed Feb 26 08:12:00 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- big endian fixes
+
+-------------------------------------------------------------------
+Tue Feb 25 14:17:00 UTC 2020 - Guillaume GARDET <guillaume.gardet@opensuse.org>
+
+- Fix build on aarch64/armv7 with:
+ * mozilla-bmo1610814.patch (boo#1164845, bmo#1610814)
+
+-------------------------------------------------------------------
+Thu Feb 20 13:40:59 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 73.0.1
+ * Resolved problems connecting to the RBC Royal Bank website
+ (bmo#1613943)
+ * Fixed Firefox unexpectedly exiting when leaving Print Preview mode
+ (bmo#1611133)
+ * Fixed crashes when playing encrypted content on some Linux systems
+ (bmo#1614535, boo#1164646)
+- start in wayland mode when running under wayland session
+
+-------------------------------------------------------------------
+Sun Feb 9 07:45:00 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 73.0
+ * Added support for setting a default zoom level applicable for all
+ web content
+ * High-contrast mode has been updated to allow background images
+ * Improved audio quality when playing back audio at a faster or
+ slower speed
+ * Added NextDNS as alternative option for DNS over HTTPS
+ MFSA 2020-05 (bsc#1163368)
+ * CVE-2020-6796 (bmo#1610426)
+ Missing bounds check on shared memory read in the parent process
+ * CVE-2020-6797 (bmo#1596668) (MacOS X only)
+ Extensions granted downloads.open permission could open arbitrary
+ applications on Mac OSX
+ * CVE-2020-6798 (bmo#1602944)
+ Incorrect parsing of template tag could result in JavaScript injection
+ * CVE-2020-6799 (bmo#1606596) (Windows only)
+ Arbitrary code execution when opening pdf links from other
+ applications, when Firefox is configured as default pdf reader
+ * CVE-2020-6800 (bmo#1595786,bmo#1596706,bmo#1598543,bmo#1604851,
+ bmo#1608580,bmo#1608785,bmo#1605777)
+ Memory safety bugs fixed in Firefox 73 and Firefox ESR 68.5
+ * CVE-2020-6801 (bmo#1601024,bmo#1601712,bmo#1604836,bmo#1606492)
+ Memory safety bugs fixed in Firefox 73
+- updated requirements
+ * rust >= 1.39
+ * NSS >= 3.49.2
+ * rust-cbindgen >= 0.12.0
+- rebased patches
+- removed obsolete patch
+ * mozilla-bmo1601707.patch
+- switched to cairo-gtk3-wayland build
+ (to fully enable wayland MOZ_ENABLE_WAYLAND=1 needs to be set)
+- disabled elfhack due to failing packager
+ https://github.com/openSUSE/firefox-maintenance/issues/28
+- disabled PGO due to build failure
+ https://github.com/openSUSE/firefox-maintenance/issues/29
+
+-------------------------------------------------------------------
+Tue Jan 28 07:30:16 UTC 2020 - Stasiek Michalski <stasiek@michalski.cc>
+
+- Use a symbolic icon from branding internals
+- Pixmaps no longer required for the desktops
+
+-------------------------------------------------------------------
+Wed Jan 22 10:30:21 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 72.0.2
+ * Various stability fixes
+ * Fixed issues opening files with spaces in their path (bmo#1601905)
+ * Fixed a hang opening about:logins when a master password is set
+ (bmo#1606992)
+ * Fixed a web compatibility issue with CSS Shadow Parts which
+ shipped in Firefox 72 (bmo#1604989)
+ * Fixed inconsistent playback performance for fullscreen 1080p
+ videos on some systems (bmo#1608485)
+
+-------------------------------------------------------------------
+Tue Jan 21 12:59:54 UTC 2020 - Guillaume GARDET <guillaume.gardet@opensuse.org>
+
+- Fix build for aarch64/ppc64le (do not update config.sub file
+ for libbacktrace)
+
+-------------------------------------------------------------------
+Wed Jan 8 08:19:12 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 72.0.1
+ MFSA 2020-03 (bsc#1160498)
+ * CVE-2019-17026 (bmo#1607443)
+ IonMonkey type confusion with StoreElementHole and FallibleStoreElement
+- Mozilla Firefox 72.0
+ * block fingerprinting scripts by default
+ * new notification pop-ups
+ * Picture-in-picture video
+ MFSA 2020-01 (bsc#1160305)
+ * CVE-2019-17016 (bmo#1599181)
+ Bypass of @namespace CSS sanitization during pasting
+ * CVE-2019-17017 (bmo#1603055)
+ Type Confusion in XPCVariant.cpp
+ * CVE-2019-17020 (bmo#1597645)
+ Content Security Policy not applied to XSL stylesheets applied
+ to XML documents
+ * CVE-2019-17022 (bmo#1602843)
+ CSS sanitization does not escape HTML tags
+ * CVE-2019-17023 (bmo#1590001) (fixed in NSS FIXME)
+ NSS may negotiate TLS 1.2 or below after a TLS 1.3
+ HelloRetryRequest had been sent
+ * CVE-2019-17024 (bmo#1507180,bmo#1595470,bmo#1598605,bmo#1601826)
+ Memory safety bugs fixed in Firefox 72 and Firefox ESR 68.4
+ * CVE-2019-17025 (bmo#1328295,bmo#1328300,bmo#1590447,bmo#1590965
+ bmo#1595692,bmo#1597321,bmo#1597481)
+ Memory safety bugs fixed in Firefox 72
+- update create-tar.sh to skip compare-locales
+- requires NSPR 4.24 and NSS 3.48
+- removed usage of browser-plugins convention for NPAPI plugins
+ from start wrapper and changed the RPM macro to the
+ /usr/$LIB/mozilla/plugins location (boo#1160302)
+
+-------------------------------------------------------------------
+Mon Dec 2 08:24:05 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 71.0
+ * Improvements to Lockwise, our integrated password manager
+ * More information about Enhanced Tracking Protection in action
+ * Native MP3 decoding on Windows, Linux, and macOS
+ * Configuration page (about:config) reimplemented in HTML
+ * New kiosk mode functionality, which allows maximum screen space
+ for customer-facing displays
+ MFSA 2019-36
+ * CVE-2019-11756 (bmo#1508776)
+ Use-after-free of SFTKSession object
+ * CVE-2019-17008 (bmo#1546331)
+ Use-after-free in worker destruction
+ * CVE-2019-13722 (bmo#1580156) (Windows only)
+ Stack corruption due to incorrect number of arguments in WebRTC code
+ * CVE-2019-17014 (bmo#1322864)
+ Dragging and dropping a cross-origin resource, incorrectly loaded
+ as an image, could result in information disclosure
+ * CVE-2019-17010 (bmo#1581084)
+ Use-after-free when performing device orientation checks
+ * CVE-2019-17005 (bmo#1584170)
+ Buffer overflow in plain text serializer
+ * CVE-2019-17011 (bmo#1591334)
+ Use-after-free when retrieving a document in antitracking
+ * CVE-2019-17012 (bmo#1449736, bmo#1533957, bmo#1560667, bmo#1567209
+ bmo#1580288, bmo#1585760, bmo#1592502)
+ Memory safety bugs fixed in Firefox 71 and Firefox ESR 68.3
+ * CVE-2019-17013 (bmo#1298509, bmo#1472328, bmo#1577439, bmo#1577937
+ bmo#1580320, bmo#1584195, bmo#1585106, bmo#1586293, bmo#1593865
+ bmo#1594181)
+ Memory safety bugs fixed in Firefox 71
+- requires
+ NSPR >= 4.23
+ NSS >= 3.47.1
+ rust/cargo >= 1.37
+- reactivate webrtc for platforms where it was disabled
+- updated create-tar.sh to cover buildid and origin repo information
+ -> removed obsolete source-stamp.txt
+- removed obsolete patches
+ mozilla-bmo1511604.patch
+ mozilla-openaes-decl.patch
+- changed locale building procedure
+ * removed obsolete compare-locales.tar.xz
+- added mozilla-bmo1601707.patch to fix gcc/LTO builds
+ (bmo#1601707, boo#1158466)
+- added mozilla-bmo849632.patch to fix big endian issues in skia
+ used for WebGL
+
+-------------------------------------------------------------------
+Fri Nov 1 14:16:39 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 70.0.1
+ * Fix for an issue that caused some websites or page elements using
+ dynamic JavaScript to fail to load. (bmo#1592136)
+ * Title bar no longer shows in full screen view (bmo#1588747)
+- added mozilla-bmo1504834-part4.patch to fix some visual issues on
+ big endian platforms
+
+-------------------------------------------------------------------
+Sun Oct 20 20:19:31 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 70.0
+ * more privacy protections from Enhanced Tracking Protection
+ * Firefox Lockwise passwordmanager
+ * Improvements to core engine components, for better browsing on more sites
+ * Improved privacy and security indicators
+ MFSA 2019-34
+ * CVE-2018-6156 (bmo#1480088)
+ Heap buffer overflow in FEC processing in WebRTC
+ * CVE-2019-15903 (bmo#1584907)
+ Heap overflow in expat library in XML_GetCurrentLineNumber
+ * CVE-2019-11757 (bmo#1577107)
+ Use-after-free when creating index updates in IndexedDB
+ * CVE-2019-11759 (bmo#1577953)
+ Stack buffer overflow in HKDF output
+ * CVE-2019-11760 (bmo#1577719)
+ Stack buffer overflow in WebRTC networking
+ * CVE-2019-11761 (bmo#1561502)
+ Unintended access to a privileged JSONView object
+ * CVE-2019-11762 (bmo#1582857)
+ document.domain-based origin isolation has same-origin-property violation
+ * CVE-2019-11763 (bmo#1584216)
+ Incorrect HTML parsing results in XSS bypass technique
+ * CVE-2019-11765 (bmo#1562582)
+ Incorrect permissions could be granted to a website
+ * CVE-2019-17000 (bmo#1441468)
+ CSP bypass using object tag with data: URI
+ * CVE-2019-17001 (bmo#1587976)
+ CSP bypass using object tag when script-src 'none' is specified
+ * CVE-2019-17002 (bmo#1561056)
+ upgrade-insecure-requests was not being honored for links dragged and dropped
+ * CVE-2019-11764 (bmo#1558522, bmo#1577061, bmo#1548044, bmo#1571223,
+ bmo#1573048, bmo#1578933, bmo#1575217, bmo#1583684, bmo#1586845, bmo#1581950,
+ bmo#1583463, bmo#1586599)
+ Memory safety bugs fixed in Firefox 70 and Firefox ESR 68.2
+- requires
+ rust/cargo >= 1.36
+ NSPR >= 4.22
+ NSS >= 3.46.1
+ rust-cbindgen >= 0.9.1
+- removed obsolete patches
+ mozilla-bmo1573381.patch
+ mozilla-nestegg-big-endian.patch
+
+-------------------------------------------------------------------
+Sun Oct 13 08:58:12 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 69.0.3
+ * Fixed Yahoo mail users being prompted to download files when
+ clicking on emails (bmo#1582848)
+- devel package build can easily be disabled now
+
+-------------------------------------------------------------------
+Thu Oct 3 08:40:05 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 69.0.2
+ * Fixed a crash when editing files on Office 365 websites (bmo#1579858)
+ * Fixed a Linux-only crash when changing the playback speed while
+ watching YouTube videos (bmo#1582222)
+- updated supported locale list
+- Allow to build without profile guided optimizations (boo#1040589)
+ (contributed by Bernhard Wiedemann)
+- Make build verbose (contributed by Martin Liška)
+- remove obsolete kde.js setting (boo#1151186) and related patch
+ firefox-add-kde.js-in-order-to-survive-PGO-build.patch
+- update create-tar.sh to latest revision and adjusted tar_stamps
+- add mozilla-fix-top-level-asm.patch to fix LTO build (w/o PGO)
+- extension preferences moved from branding package to core package
+ (packaging but not branding specific)
+
+-------------------------------------------------------------------
+Thu Sep 19 13:31:16 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 69.0.1
+ * Fixed external programs launching in the background when clicking
+ a link from inside Firefox to launch them (bmo#1570845)
+ * Usability improvements to the Add-ons Manager for users with
+ screen readers (bmo#1567600)
+ * Fixed the Captive Portal notification bar not being dismissable
+ in some situations after login is complete (bmo#1578633)
+ * Fixed the maximum size of fonts in Reader Mode when zoomed (bmo#1578454)
+ * Fixed missing stacks in the Developer Tools Performance section
+ (bmo#1578354)
+ MFSA 2019-31
+ * CVE-2019-11754 (bmo#1580506)
+ Pointer Lock is enabled with no user notification
+- disable DOH by default
+
+-------------------------------------------------------------------
+Thu Sep 5 13:02:39 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 69.0
+ * Enhanced Tracking Protection (ETP) for stronger privacy protections
+ * Block Autoplay feature is enhanced to give users the option to block
+ any video
+ * Users in the US or using the en-US browser, can get a new “New Tab”
+ page experience connecting to the best of Pocket's content.
+ * Support for the Web Authentication HmacSecret extension via
+ Windows Hello introduced.
+ * Support for receiving multiple video codecs with this release makes
+ it easier for WebRTC conferencing services to mix video from
+ different clients.
+ MFSA 2019-25 (boo#1149324)
+ * CVE-2019-11741 (bmo#1539595)
+ Isolate addons.mozilla.org and accounts.firefox.com
+ * CVE-2019-5849 (bmo#1555838)
+ Out-of-bounds read in Skia
+ * CVE-2019-11737 (bmo#1388015)
+ Content security policy directives ignore port and path if host is a wildcard
+ * CVE-2019-11734 (bmo#1352875,bmo#1536227,bmo#1557208,bmo#1560641)
+ Memory safety bugs fixed in Firefox 69
+ * CVE-2019-11735 (bmo#1561404,bmo#1561484,bmo#1568047,bmo#1561912,
+ bmo#1565744,bmo#1568858,bmo#1570358)
+ Memory safety bugs fixed in Firefox 69 and Firefox ESR 68.1
+ * CVE-2019-11740 (bmo#1563133,bmo#1573160)
+ Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9
+- requires
+ * rust/cargo >= 1.35
+ * rust-cbindgen >= 0.9.0
+ * mozilla-nss >= 3.45
+- rebased patches
+
+-------------------------------------------------------------------
+Wed Sep 4 15:38:40 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- added a bunch of patches mainly for big endian platforms
+ * mozilla-bmo1504834-part1.patch
+ * mozilla-bmo1504834-part2.patch
+ * mozilla-bmo1504834-part3.patch
+ * mozilla-bmo1511604.patch
+ * mozilla-bmo1554971.patch
+ * mozilla-bmo1573381.patch
+ * mozilla-nestegg-big-endian.patch
+ * mozilla-bmo1512162.patch
+
+-------------------------------------------------------------------
+Fri Aug 30 20:49:11 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 68.1.0
+ MFSA 2019-26
+ * CVE-2019-11751 (bmo#1572838; Windows only)
+ Malicious code execution through command line parameters
+ * CVE-2019-11746 (bmo#1564449)
+ Use-after-free while manipulating video
+ * CVE-2019-11744 (bmo#1562033)
+ XSS by breaking out of title and textarea elements using innerHTML
+ * CVE-2019-11742 (bmo#1559715)
+ Same-origin policy violation with SVG filters and canvas to steal
+ cross-origin images
+ * CVE-2019-11736 (bmo#1551913, bmo#1552206; Windows only))
+ File manipulation and privilege escalation in Mozilla Maintenance Service
+ * CVE-2019-11753 (bmo#1574980; Windows only)
+ Privilege escalation with Mozilla Maintenance Service in custom
+ Firefox installation location
+ * CVE-2019-11752 (bmo#1501152)
+ Use-after-free while extracting a key value in IndexedDB
+ * CVE-2019-9812 (bmo#1538008, bmo#1538015)
+ Sandbox escape through Firefox Sync
+ * CVE-2019-11743 (bmo#1560495)
+ Cross-origin access to unload event attributes
+ * CVE-2019-11748 (bmo#1564588)
+ Persistence of WebRTC permissions in a third party context
+ * CVE-2019-11749 (bmo#1565374)
+ Camera information available without prompting using getUserMedia
+ * CVE-2019-11750 (bmo#1568397)
+ Type confusion in Spidermonkey
+ * CVE-2019-11738 (bmo#1452037)
+ Content security policy bypass through hash-based sources in directives
+ * CVE-2019-11747 (bmo#1564481)
+ 'Forget about this site' removes sites from pre-loaded HSTS list
+ * CVE-2019-11735i (bmo#1561404,bmo#1561484,bmo#1568047,bmo#1561912,
+ bmo#1565744,bmo#1568858,bmo#1570358)
+ Memory safety bugs fixed in Firefox 69 and Firefox ESR 68.1
+ * CVE-2019-11740 (bmo#1563133,bmo#1573160)
+ Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9
+- switched package to ESR branch
+- added mozilla-bmo1568145.patch to make builds reproducible
+- removed upstreamed patch mozilla-gcc-internal-compiler-error.patch
+
+-------------------------------------------------------------------
+Sun Aug 18 17:29:25 UTC 2019 - Andreas Stieger <andreas.stieger@gmx.de>
+
+- Mozilla Firefox 68.0.2:
+ * Fixed a bug causing some special characters to be cut off from
+ the end of the search terms when searching from the URL bar
+ (bmo#1560228)
+ * Allow fonts to be loaded via file:// URLs when opening a page
+ locally (bmo#1565942)
+ * Printing emails from the Outlook web app no longer prints only
+ the header and footer (bmo#1567105)
+ * Fixed a bug causing some images not to be displayed on reload,
+ including on Google Maps (bmo# 1565542)
+ * Fixed an error when starting external applications configured
+ as URI handlers (bmo#1567614)
+ MFSA 2019-24 (boo#1145665)
+ * CVE-2019-11733: Stored passwords in 'Saved Logins' can be
+ copied without master password entry (bmo#1565780)
+- drop fix-build-after-y2038-changes-in-glibc.patch, upstream
+
+-------------------------------------------------------------------
+Fri Aug 16 16:49:24 UTC 2019 - Jonathan Brielmaier <jbrielmaier@suse.de>
+
+- Fix crash when typing in the URL bar on ppc64le (bmo#1512162).
+ The upstream patch doesn't resolve the issue on TW, but compiling
+ with -O1 does. Do this until we have a proper fix.
+
+-------------------------------------------------------------------
+Thu Aug 1 14:25:02 UTC 2019 - Guillaume GARDET <guillaume.gardet@opensuse.org>
+
+- Update build constraints to fix arm builds
+
+-------------------------------------------------------------------
+Fri Jul 19 08:11:27 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 68.0.1
+ * Fixed missing Full Screen button when watching videos in full
+ screen mode on HBO GO (bmo#1562837)
+ * Fixed a bug causing incorrect messages to appear for some
+ locales when sites try to request the use of the Storage
+ Access API (bmo#1558503)
+ * Users in Russian regions may have their default search engine
+ changed (bmo#1565315)
+ * Built-in search engines in some locales do not function
+ correctly (bmo#1565779)
+ * SupportMenu policy doesn't always work (bmo#1553290)
+ * Allow the privacy.file_unique_origin pref to be controlled by
+ policy (bmo#1563759)
+
+-------------------------------------------------------------------
+Thu Jul 11 10:51:39 UTC 2019 - Jiri Slaby <jslaby@suse.com>
+
+- add fix-build-after-y2038-changes-in-glibc.patch
+
+-------------------------------------------------------------------
+Wed Jul 10 13:47:41 UTC 2019 - Bernhard Wiedemann <bwiedemann@suse.com>
+
+- Generate langpacks sequentially to avoid file corruption
+ from racy file writes (boo#1137970)
+
+-------------------------------------------------------------------
+Mon Jul 8 13:30:35 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 68.0
+ * Dark mode in reader view
+ * Improved extension security and discovery
+ * Cryptomining and fingerprinting protections are added to strict
+ content blocking settings in Privacy & Security preferences
+ * Camera and microphone access now require an HTTPS connection
+ MFSA 2019-21 (bsc#1140868)
+ * CVE-2019-9811 (bmo#1538007, bmo#1539598, bmo#1563327)
+ Sandbox escape via installation of malicious languagepack
+ * CVE-2019-11711 (bmo#1552541)
+ Script injection within domain through inner window reuse
+ * CVE-2019-11712 (bmo#1543804)
+ Cross-origin POST requests can be made with NPAPI plugins by
+ following 308 redirects
+ * CVE-2019-11713 (bmo#1528481)
+ Use-after-free with HTTP/2 cached stream
+ * CVE-2019-11714 (bmo#1542593)
+ NeckoChild can trigger crash when accessed off of main thread
+ * CVE-2019-11729 (bmo#1515342)
+ Empty or malformed p256-ECDH public keys may trigger a segmentation fault
+ * CVE-2019-11715 (bmo#1555523)
+ HTML parsing error can contribute to content XSS
+ * CVE-2019-11716 (bmo#1552632)
+ globalThis not enumerable until accessed
+ * CVE-2019-11717 (bmo#1548306)
+ Caret character improperly escaped in origins
+ * CVE-2019-11718 (bmo#1408349)
+ Activity Stream writes unsanitized content to innerHTML
+ * CVE-2019-11719 (bmo#1540541)
+ Out-of-bounds read when importing curve25519 private key
+ * CVE-2019-11720 (bmo#1556230)
+ Character encoding XSS vulnerability
+ * CVE-2019-11721 (bmo#1256009)
+ Domain spoofing through unicode latin 'kra' character
+ * CVE-2019-11730 (bmo#1558299)
+ Same-origin policy treats all files in a directory as having the
+ same-origin
+ * CVE-2019-11723 (bmo#1528335)
+ Cookie leakage during add-on fetching across private browsing boundaries
+ * CVE-2019-11724 (bmo#1512511)
+ Retired site input.mozilla.org has remote troubleshooting permissions
+ * CVE-2019-11725 (bmo#1483510)
+ Websocket resources bypass safebrowsing protections
+ * CVE-2019-11727 (bmo#1552208)
+ PKCS#1 v1.5 signatures can be used for TLS 1.3
+ * CVE-2019-11728 (bmo#1552993)
+ Port scanning through Alt-Svc header
+ * CVE-2019-11710 (bmo#1549768, bmo#1548611, bmo#1533842, bmo#1537692,
+ bmo#1540590, bmo#1551907, bmo#1510345, bmo#1535482, bmo#1535848,
+ bmo#1547472, bmo#1547760, bmo#1507696, bmo#1544180)
+ Memory safety bugs fixed in Firefox 68
+ * CVE-2019-11709 (bmo#1547266, bmo#1540759, bmo#1548822, bmo#1550498
+ bmo#1515052, bmo#1539219, bmo#1547757, bmo#1550498, bmo#1533522)
+ Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8
+- requires
+ * NSS 3.44.1
+ * rust/cargo 1.34
+ * rust-cbindgen 0.8.7
+- rebased patches
+ * mozilla-aarch64-startup-crash.patch
+ * mozilla-kde.patch
+ * mozilla-nongnome-proxies.patch
+ * firefox-kde.patch
+- use new create-tar.sh and add tar_stamps for package definitions
+- added patches imported from SLE flavour
+ * mozilla-gcc-internal-compiler-error.patch
+ * mozilla-bmo1005535.patch
+ * mozilla-ppc-altivec_static_inline.patch
+ * mozilla-reduce-rust-debuginfo.patch
+ * mozilla-s390-bigendian.patch
+ * mozilla-s390-context.patch
+
+-------------------------------------------------------------------
+Mon Jul 2 14:15:17 UTC 2019 - Martin Liška <mliska@suse.cz>
+
+- Enable PGO for x86_64.
+ * added firefox-add-kde.js-in-order-to-survive-PGO-build.patch
+
+-------------------------------------------------------------------
+Thu Jun 20 06:20:59 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 67.0.4
+ MFSA 2019-19 (boo#1138872)
+ * CVE-2019-11708 (bmo#1559858)
+ sandbox escape using Prompt:Open
+
+-------------------------------------------------------------------
+Tue Jun 18 18:36:15 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 67.0.3
+ MFSA 2019-18 (boo#1138614)
+ * CVE-2019-11707 (bmo#1544386)
+ Type confusion in Array.pop
+
+-------------------------------------------------------------------
+Thu Jun 12 14:56:32 UTC 2019 - Manfred Hollstein <manfred.h@gmx.net>
+
+- Mozilla Firefox 67.0.2
+ * Fixed: Fix JavaScript error ("TypeError: data is null in
+ PrivacyFilter.jsm") in console which may significantly degrade
+ sessionstore reliability and performance (bmo#1553413)
+ * Fixed: Proxy authentication dialog box repeatedly pops up
+ asking to authenticate after upgrading to Firefox 67 (bmo#1548804)
+ * Fixed: Pearson MyCloud breaks if FIDO U2F is not Chrome's
+ implementation (bmo#1551282)
+ * Fixed: Starting in safe mode on Linux or macOS causes Firefox
+ to think on the subsequent launch that the profile is too
+ recent to be used with this version of Firefox (bmo#1556612)
+ * Fixed: Linux distribution users can't easily install/use
+ additional/different languages using the built-in preferences
+ UI (bmo#1554744)
+ * Fixed: Developer tools users can't copy the href/src content
+ from various HTML tags via the context menu in the Inspector
+ markup view (bmo#1552275)
+ * Fixed: Custom home page is broken with clearing data on shutdown
+ settings applied (bmo#1554167)
+ * Fixed: Performance-regression for eclipse RAP based applications
+ (bmo#1555962)
+ * Fixed: macOS 10.15 crash fix (bmo#1556076)
+ * Fixed: Can't start two downloads in parallel via <a download>
+ anymore (bmo#1542912)
+
+-------------------------------------------------------------------
+Thu Jun 6 06:49:51 UTC 2019 - Manfred Hollstein <manfred.h@gmx.net>
+
+- Mozilla Firefox 67.0.1
+ * enable enhanced tracking protection by default for new users
+ * upgrade of Facebook container to version 2.0
+ * new version of Firefox Lockwise (password management)
+ * new version of Firefox Monitor
+ * Firefox Send improvements
+
+-------------------------------------------------------------------
+Sun May 19 20:40:30 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 67.0
+ * Firefox 67 will be able to run different Firefox installs side by side
+ https://blog.nightly.mozilla.org/2019/01/14/moving-to-a-profile-per-install-architecture/
+ * Tabs can now be pinned from the Page Actions menu in the address bar
+ * Users can block known cryptominers and fingerprinters in the
+ Custom settings or their Content Blocking preferences
+ * The Import Data from Another Browser feature is now also available
+ from the File menu
+ * Firefox will now protect you against running older versions which
+ can lead to data corruption and stability issues
+ * Easier access to your list of saved logins from the main menu and
+ login autocomplete
+ * We’ve added a toolbar menu for your Firefox Account to provide more
+ transparency for when you are synced, sharing data across devices
+ and with Firefox. Personalize the appearance of the menu with your
+ own avatar
+ * Enable FIDO U2F API, and permit registrations for Google Accounts
+ * Enabled AV1 support on Linux
+ MFSA 2019-13 (boo#1135824)
+ * CVE-2019-9815 (bmo#1546544)
+ Disable hyperthreading on content JavaScript threads on macOS
+ * CVE-2019-9816 (bmo#1536768)
+ Type confusion with object groups and UnboxedObjects
+ * CVE-2019-9817 (bmo#1540221)
+ Stealing of cross-domain images using canvas
+ * CVE-2019-9818 (bmo#1542581) (Windows only)
+ Use-after-free in crash generation server
+ * CVE-2019-9819 (bmo#1532553)
+ Compartment mismatch with fetch API
+ * CVE-2019-9820 (bmo#1536405)
+ Use-after-free of ChromeEventHandler by DocShell
+ * CVE-2019-9821 (bmo#1539125)
+ Use-after-free in AssertWorkerThread
+ * CVE-2019-11691 (bmo#1542465)
+ Use-after-free in XMLHttpRequest
+ * CVE-2019-11692 (bmo#1544670)
+ Use-after-free removing listeners in the event listener manager
+ * CVE-2019-11693 (bmo#1532525)
+ Buffer overflow in WebGL bufferdata on Linux
+ * CVE-2019-7317 (bmo#1542829)
+ Use-after-free in png_image_free of libpng library
+ * CVE-2019-11694 (bmo#1534196) (Windows only)
+ Uninitialized memory memory leakage in Windows sandbox
+ * CVE-2019-11695 (bmo#1445844)
+ Custom cursor can render over user interface outside of web content
+ * CVE-2019-11696 (bmo#1392955)
+ Java web start .JNLP files are not recognized as executable files
+ for download prompts
+ * CVE-2019-11697 (bmo#1440079)
+ Pressing key combinations can bypass installation prompt delays and
+ install extensions
+ * CVE-2019-11698 (bmo#1543191)
+ Theft of user history data through drag and drop of hyperlinks
+ to and from bookmarks
+ * CVE-2019-11700 (bmo#1549833) (Windows only)
+ res: protocol can be used to open known local files
+ * CVE-2019-11699 (bmo#1528939)
+ Incorrect domain name highlighting during page navigation
+ * CVE-2019-11701 (bmo#1518627)
+ webcal: protocol default handler loads vulnerable web page
+ * CVE-2019-9814 (bmo#1527592, bmo#1534536, bmo#1520132, bmo#1543159,
+ bmo#1539393, bmo#1459932, bmo#1459182, bmo#1516425)
+ Memory safety bugs fixed in Firefox 67
+ * CVE-2019-9800 (bmo#1540166, bmo#1534593, bmo#1546327, bmo#1540136,
+ bmo#1538736, bmo#1538042, bmo#1535612, bmo#1499719, bmo#1499108,
+ bmo#1538619, bmo#1535194, bmo#1516325, bmo#1542324, bmo#1542097,
+ bmo#1532465, bmo#1533554, bmo#1541580)
+ Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7
+- requires
+ * rust/cargo >= 1.32
+ * mozilla-nspr >= 4.21
+ * mozilla-nss >= 3.43
+ * rust-cbindgen >= 0.8.2
+- rebased patches
+- KDE integration for default browser detection is broken in this revision
+
+-------------------------------------------------------------------
+Fri May 17 12:04:49 UTC 2019 - Guillaume GARDET <guillaume.gardet@opensuse.org>
+
+- Fix armv7 build with:
+ * mozilla-disable-wasm-emulate-arm-unaligned-fp-access.patch
+
+-------------------------------------------------------------------
+Fri May 10 10:30:05 UTC 2019 - Manfred Hollstein <manfred.h@gmx.net>
+
+- Mozilla Firefox 66.0.5
+ * Fixed: Further improvements to re-enable web extensions which
+ had been disabled for users with a master password set (bmo#1549249)
+
+-------------------------------------------------------------------
+Sun May 5 20:21:02 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 66.0.4 (boo#1134126)
+ * fix extension certificate chain
+ https://blog.mozilla.org/addons/2019/05/04/update-regarding-add-ons-in-firefox/
+
+-------------------------------------------------------------------
+Thu Apr 11 09:16:17 UTC 2019 - Manfred Hollstein <manfred.h@gmx.net>
+
+- Mozilla Firefox 66.0.3
+ * Fixed: Address bar on tablets running Windows 10 now behaves
+ correctly (bmo#1498973)
+ * Fixed: Performance issues with some HTML5 games (bmo#1537609)
+ * Fixed a bug with keypress events in IBM cloud applications
+ (bmo#1538970)
+ * Fix for keypress events in some Microsoft cloud applications
+ (bmo#1539618)
+ * Changed: Updated Baidu search plugin
+
+-------------------------------------------------------------------
+Thu Mar 28 19:01:41 UTC 2019 - Manfred Hollstein <manfred.h@gmx.net>
+
+- Mozilla Firefox 66.0.2
+ * Fixed Web compatibility issues with Office 365, iCloud and
+ IBM WebMail caused by recent changes to the handling of
+ keyboard events (bmo#1538966)
+ * Crash fixes (bmo#1521370, bmo#1539118)
+
+-------------------------------------------------------------------
+Thu Mar 28 09:58:36 UTC 2019 - Guillaume GARDET <guillaume.gardet@opensuse.org>
+
+- Add patch to fix aarch64 build:
+ * mozilla-fix-aarch64-libopus.patch (bmo#1539737)
+
+-------------------------------------------------------------------
+Fri Mar 22 22:22:08 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 66.0.1
+ MFSA 2019-09 (bsc#1130262)
+ * CVE-2019-9810 (bmo#1537924)
+ IonMonkey MArraySlice has incorrect alias information
+ * CVE-2019-9813 (bmo#1538006)
+ Ionmonkey type confusion with __proto__ mutations
+
+-------------------------------------------------------------------
+Sun Mar 17 10:08:51 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 66.0
+ * Increased content processes to 8
+ * Added capability to search through open tabs from the tab overflow menu
+ * New backend for the storage.local WebExtensions API, providing
+ I/O performance improvements when the extension updates a small
+ subset of the stored data
+ * WebExtension keyboard shortcuts can now be managed or overridden
+ from about:addons
+ * Improved scrolling behavior: Firefox will now attempt to keep content
+ from jumping around while a page is loading by supporting scroll
+ anchoring
+ * New about:privatebrowsing with search
+ * A certificate error page now notifies the user of the name of the
+ certificate issuer that breaks HTTPs connections on intercepted
+ connections to help troubleshooting possible anti-virus software
+ issues.
+ * Fixed an performance issue some Linux users experienced with the
+ Downloads panel (bmo#1517101)
+ * Firefox now blocks all autoplay media with sound by default. Users
+ can add individual sites to an exceptions list or turn the blocking
+ off.
+ * System title bar is hidden by default to match Gnome guideline
+ MFSA 2019-07 (bsc#1129821)
+ * CVE-2019-9790 (bmo#1525145)
+ Use-after-free when removing in-use DOM elements
+ * CVE-2019-9791 (bmo#1530958)
+ Type inference is incorrect for constructors entered through on-stack
+ replacement with IonMonkey
+ * CVE-2019-9792 (bmo#1532599)
+ IonMonkey leaks JS_OPTIMIZED_OUT magic value to script
+ * CVE-2019-9793 (bmo#1528829)
+ Improper bounds checks when Spectre mitigations are disabled
+ * CVE-2019-9794 (bmo#1530103) (Windows only)
+ Command line arguments not discarded during execution
+ * CVE-2019-9795 (bmo#1514682)
+ Type-confusion in IonMonkey JIT compiler
+ * CVE-2019-9796 (bmo#1531277)
+ Use-after-free with SMIL animation controller
+ * CVE-2019-9797 (bmo#1528909)
+ Cross-origin theft of images with createImageBitmap
+ * CVE-2019-9798 (bmo#1527534) (Android only)
+ Library is loaded from world writable APITRACE_LIB location
+ * CVE-2019-9799 (bmo#1505678)
+ Information disclosure via IPC channel messages
+ * CVE-2019-9801 (bmo#1527717) (Windows only)
+ Windows programs that are not 'URL Handlers' are exposed to web content
+ * CVE-2019-9802 (bmo#1415508)
+ Chrome process information leak
+ * CVE-2019-9803 (bmo#1515863, bmo#1437009)
+ Upgrade-Insecure-Requests incorrectly enforced for same-origin navigation
+ * CVE-2019-9804 (bmo#1518026) (MacOS only)
+ Code execution through 'Copy as cURL' in Firefox Developer Tools on macOS
+ * CVE-2019-9805 (bmo#1521360)
+ Potential use of uninitialized memory in Prio
+ * CVE-2019-9806 (bmo#1525267)
+ Denial of service through successive FTP authorization prompts
+ * CVE-2019-9807 (bmo#1362050)
+ Text sent through FTP connection can be incorporated into alert messages
+ * CVE-2019-9809 (bmo#1282430, bmo#1523249)
+ Denial of service through FTP modal alert error messages
+ * CVE-2019-9808 (bmo#1434634)
+ WebRTC permissions can display incorrect origin with data: and blob: URLs
+ * CVE-2019-9789 bmo#1520483, bmo#1522987, bmo#1528199, bmo#1519337,
+ bmo#1525549, bmo#1516179, bmo#1518524, bmo#1518331, bmo#1526579,
+ bmo#1512567, bmo#1524335, bmo#1448505, bmo#1518821
+ Memory safety bugs fixed in Firefox 66
+ * CVE-2019-9788 bmo#1518001, bmo#1521304, bmo#1521214, bmo#1506665,
+ bmo#1516834, bmo#1518774, bmo#1524755, bmo#1523362, bmo#1524214, bmo#1529203
+ Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6
+- updated build/runtime requirements
+ * mozilla-nss >= 3.42.1
+ * cargo/rust >= 1.31
+ * rust-cbindgen >= 0.6.8
+ * nasm >= 2.13 (new)
+- removed obsolete patch
+ * mozilla-bmo256180.patch
+
+-------------------------------------------------------------------
+Tue Mar 5 10:17:01 UTC 2019 - Stephan Kulow <coolo@suse.com>
+
+- Do not hardcode nodejs8 but leave the prefer to the distribution
+ (Tumbleweed staging wants to switch to nodejs10)
+
+-------------------------------------------------------------------
+Fri Feb 15 13:45:57 UTC 2019 - Guillaume GARDET <guillaume.gardet@opensuse.org>
+
+- Update _constraints to avoid 'no space left' error seen on aarch64
+
+-------------------------------------------------------------------
+Wed Feb 13 07:17:28 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 65.0.1
+ * Fixed accidental requests to addons.mozilla.org when an addon
+ recommendation doorhanger is shown (bmo#1526387)
+ * Improved playback of interactive Netflix videos (bmo#1524500)
+ * Fixed incorrect sizing of the "Clear Recent History" window in
+ some situations (bmo#1523696)
+ * Fixed audio & video delays while making WebRTC calls
+ (bmo#1521577, bmo#1523817)
+ * Fixed video sizing problems during some WebRTC calls (bmo#1520200)
+ * Fixed looping CONNECT requests when using WebSockets over HTTP/2
+ from behind a proxy server (bmo#1523427)
+ * Fixed the "Enter" key not working on password entry fields for
+ certain Linux distributions (bmo#1523635)
+ MFSA 2019-04 (bsc#1125330)
+ * CVE-2018-18356 bmo#1525817
+ Use-after-free in Skia
+ * CVE-2019-5785 bmo#1525433
+ Integer overflow in Skia
+ * CVE-2018-18511 bmo#1526218
+ Cross-origin theft of images with ImageBitmapRenderingContext
+
+-------------------------------------------------------------------
+Wed Feb 13 06:12:43 UTC 2019 - Martin Liška <mliska@suse.cz>
+
+- Enable LTO only for latest new toolchain (boo#1125038) for x86_64
+ (with increased memory constraints)
+
+-------------------------------------------------------------------
+Sat Jan 26 22:37:01 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 65.0
+ * Enhanced tracking protection
+ * allow switching of UI locales within preferences
+ * support for the WebP image format
+ * "top"-like about:performance
+ MFSA 2019-01 (bsc#1122983)
+ * CVE-2018-18500 bmo#1510114
+ Use-after-free parsing HTML5 stream
+ * CVE-2018-18503 bmo#1509442
+ Memory corruption with Audio Buffer
+ * CVE-2018-18504 bmo#1496413
+ Memory corruption and out-of-bounds read of texture client
+ * CVE-2018-18505 bmo#1497749
+ Privilege escalation through IPC channel messages
+ * CVE-2018-18506 bmo#1503393
+ Proxy Auto-Configuration file can define localhost access to be proxied
+ * CVE-2018-18502 bmo#1499426 bmo#1480090 bmo#1472990 bmo#1514762
+ bmo#1501482 bmo#1505887 bmo#1508102 bmo#1508618 bmo#1511580
+ bmo#1493497 bmo#1510145 bmo#1516289 bmo#1506798 bmo#1512758
+ Memory safety bugs fixed in Firefox 65
+ * CVE-2018-18501 bmo#1512450 bmo#1517542 bmo#1513201 bmo#1460619
+ bmo#1502871 bmo#1516738 bmo#1516514
+ Memory safety bugs fixed in Firefox 65 and Firefox ESR 60.5
+- requires
+ NSS 3.41
+ rust/carge 1.30
+ rust-cbindgen 0.6.7
+- rebased patches
+- remove workaround for build memory consumption on i586; other
+ mitigations meanwhile introduced (mainly parallelity) will be
+ sufficient
+ mozilla-reduce-files-per-UnifiedBindings.patch
+
+-------------------------------------------------------------------
+Tue Jan 15 14:32:03 UTC 2019 - Martin Liška <mliska@suse.cz>
+
+- Increase disk constraint.
+
+-------------------------------------------------------------------
+Mon Jan 14 12:12:12 UTC 2019 - Martin Liška <mliska@suse.cz>
+
+- Remove -v from mach build in order to work-around bmo#1500436.
+
+-------------------------------------------------------------------
+Fri Jan 11 15:07:14 UTC 2019 - Martin Liška <mliska@suse.cz>
+
+- Set %clang_build to false on all architectures
+- Do not use -fno-delete-null-pointer-checks and -fno-strict-aliasing:
+ it should not be needed anymore
+- Do not overwrite enable-optimize and when possible
+ enable --enable-debug-symbols.
+- Add -v to mach in order to make build verbose.
+
+-------------------------------------------------------------------
+Wed Jan 9 22:40:14 UTC 2019 - astieger@suse.com
+
+- Mozilla Firefox 64.0.2:
+ * Update the Japanese translation for missing strings (bmo#1513259)
+ * Properly restore column sizes in developer tools inspector (bmo#1503175)
+ * Fixed video stuttering on Youtube (bmo#1513511)
+ * Fix updates for some lightweight themes (bmo#1508777)
+
+-------------------------------------------------------------------
+Tue Dec 18 14:46:41 UTC 2018 - Guillaume GARDET <guillaume.gardet@opensuse.org>
+
+- Enable build_hardened for all architectures
+- Switch back aarch64 to clang as '-fPIC' fixes bmo#1513605
+- Remove obolete '--enable-pie' as -pie is always enabled for
+ gcc and clang
+
+-------------------------------------------------------------------
+Wed Dec 12 17:33:29 UTC 2018 - Guillaume GARDET <guillaume.gardet@opensuse.org>
+
+- Switch aarch64 builds back to gcc, not clang (bmo#1513605)
+- Switch %arm builds back to gcc, not clang to avoid OOM
+- Fix build flags when clang is not used
+- Fix flags for clang ppc64 builds
+
+-------------------------------------------------------------------
+Tue Dec 11 08:45:56 UTC 2018 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- update to Firefox 64.0
+ * Better recommendations: You may see suggestions in regular browsing
+ mode for new and relevant Firefox features, services, and extensions
+ based on how you use the web (for US users only)
+ * Enhanced tab management: You can now select multiple tabs from the
+ tab bar and close, move, bookmark, or pin them quickly and easily
+ * Easier performance management: The new Task Manager page found at
+ about:performance lets you see how much energy each open tab consumes
+ and provides access to close tabs to conserve power
+ * Improved performance for Mac and Linux users, by enabling link time
+ optimization (Clang LTO).
+ * Added option to remove add-ons using the context menu on their
+ toolbar buttons
+ * RSS feed preview and live bookmarks are available only via add-ons
+ * TLS certificates issued by Symantec are no longer trusted by Firefox.
+ Website operators are strongly encouraged to replace any remaining
+ Symantec TLS certificates as soon as possible
+ MFSA 2018-29 (bsc#1119105)
+ * CVE-2018-12407 bmo#1505973
+ Buffer overflow with ANGLE library when using VertexBuffer11 module
+ * CVE-2018-17466 bmo#1488295
+ Buffer overflow and out-of-bounds read in ANGLE library with
+ TextureStorage11
+ * CVE-2018-18492 bmo#1499861
+ Use-after-free with select element
+ * CVE-2018-18493 bmo#1504452
+ Buffer overflow in accelerated 2D canvas with Skia
+ * CVE-2018-18494 bmo#1487964
+ Same-origin policy violation using location attribute and
+ performance.getEntries to steal cross-origin URLs
+ * CVE-2018-18495 bmo#1427585
+ WebExtension content scripts can be loaded in about: pages
+ * CVE-2018-18496 bmo#1422231 (Windows only)
+ Embedded feed preview page can be abused for clickjacking
+ * CVE-2018-18497 bmo#1488180
+ WebExtensions can load arbitrary URLs through pipe separators
+ * CVE-2018-18498 bmo#1500011
+ Integer overflow when calculating buffer sizes for images
+ * CVE-2018-12406 bmo#1456947 bmo#1475669 bmo#1504816 bmo#1502886
+ bmo#1500064 bmo#1500310 bmo#1500696 bmo#1498765 bmo#1499198 bmo#1434490
+ bmo#1481745 bmo#1458129
+ Memory safety bugs fixed in Firefox 64
+ * CVE-2018-12405 bmo#1494752 bmo#1503326 bmo#1505181 bmo#1500759
+ bmo#1504365 bmo#1506640 bmo#1503082 bmo#1502013 bmo#1510471
+ Memory safety bugs fixed in Firefox 64 and Firefox ESR 60.4
+- requires
+ * rust/cargo >= 1.29
+ * mozilla-nss >= 3.40.1
+ * rust-cbindgen >= 0.6.4
+- rebased patches
+- removed obsolete patch
+ * mozilla-bmo1491289.patch
+- now uses clang primarily for compilation
+
+-------------------------------------------------------------------
+Wed Nov 28 11:07:18 UTC 2018 - Guillaume GARDET <guillaume.gardet@opensuse.org>
+
+- Remove --disable-elf-hack when not available: on aarch64 and ppc64*
+
+-------------------------------------------------------------------
+Mon Nov 26 09:46:02 UTC 2018 - Guillaume GARDET <guillaume.gardet@opensuse.org>
+
+- Clean-up %arm build
+
+-------------------------------------------------------------------
+Sun Nov 18 11:01:21 UTC 2018 - manfred.h@gmx.net
+
+- update to Firefox 63.0.3
+ * Games using WebGL (created in Unity) get stuck after very short
+ time of gameplay (bmo#1502748)
+ * Slow page loading for some users with specific proxy configurations
+ (bmo#1495024)
+ * Disable HTTP response throttling by default for causing bugs with
+ videos in background tabs (bmo#1503354)
+ * Opening magnet links no longer works (bmo#1498934)
+ * Crash fixes (bmo#1498510, bmo#1503424)
+- removed mozilla-newer-cbindgen.patch; no longer needed
+
+-------------------------------------------------------------------
+Thu Nov 8 14:59:13 UTC 2018 - wr@rosenauer.org
+
+- update to Firefox 63.0.1
+ * Snippets are not loaded due to missing element (bmo#1503047)
+ * Print preview always shows 30& scale when it is actually
+ Shrink To Fit (bmo#1501952)
+ * Dialog displayed when closing multiple windows shows unreplaced
+ %1$S placeholder in Japanese and potentially other locales
+ (bmo#1500823)
+
+-------------------------------------------------------------------
+Mon Oct 29 14:07:51 UTC 2018 - wr@rosenauer.org
+
+- update to Firefox 63.0
+ * WebExtensions now run in their own process on Linux
+ * The Ctrl+Tab shortcut now displays thumbnail previews of your
+ tabs and cycles through tabs in recently used order. This new
+ default behavior is activated only in new profiles and can be
+ changed in preferences.
+ * Added support for Web Components custom elements and shadow DOM
+ MFSA 2018-26 (bsc#1112852)
+ * CVE-2018-12391 (bmo#1478843) (Android-only)
+ HTTP Live Stream audio data is accessible cross-origin
+ * CVE-2018-12392 (bmo#1492823)
+ Crash with nested event loops
+ * CVE-2018-12393 (bmo#1495011) (only affects non-64-bit archs)
+ Integer overflow during Unicode conversion while loading JavaScript
+ * CVE-2018-12395 (bmo#1467523)
+ WebExtension bypass of domain restrictions through header rewriting
+ * CVE-2018-12396 (bmo#1483602)
+ WebExtension content scripts can execute in disallowed contexts
+ * CVE-2018-12397 (bmo#1487478)
+ Missing warning prompt when WebExtension requests local file access
+ * CVE-2018-12398 (bmo#1460538, bmo#1488061)
+ CSP bypass through stylesheet injection in resource URIs
+ * CVE-2018-12399 (bmo#1490276)
+ Spoofing of protocol registration notification bar
+ * CVE-2018-12400 (bmo#1448305) (Android only)
+ Favicons are cached in private browsing mode on Firefox for Android
+ * CVE-2018-12401 (bmo#1422456)
+ DOS attack through special resource URI parsing
+ * CVE-2018-12402 (bmo#1469916)
+ SameSite cookies leak when pages are explicitly saved
+ * CVE-2018-12403 (bmo#1484753)
+ Mixed content warning is not displayed when HTTPS page loads a favicon over HTTP
+ * CVE-2018-12388 (bmo#1472639, bmo#1485698, bmo#1301547, bmo#1471427,
+ bmo#1379411, bmo#1482122, bmo#1486314, bmo#1487167)
+ Memory safety bugs fixed in Firefox 63
+ * CVE-2018-12390 (bmo#1487098, bmo#1487660, bmo#1490234, bmo#1496159,
+ bmo#1443748, bmo#1496340, bmo#1483905, bmo#1493347, bmo#1488803,
+ bmo#1498701, bmo#1498482, bmo#1442010, bmo#1495245, bmo#1483699,
+ bmo#1469486, bmo#1484905, bmo#1490561, bmo#1492524, bmo#1481844)
+ Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3
+- requires NSPR 4.20, NSS 3.39 and Rust 1.28
+- latest rust does not provide rust-std so stop requiring it
+- requires rust-cbindgen >= 0.6.2 to build
+- requires nodejs >= 8.11 to build
+- added mozilla-bmo1491289.patch to fix system NSS build (bmo#1491289)
+- added mozilla-cubeb-noreturn.patch to fix non-return function
+- added mozilla-newer-cbindgen.patch to fix build with cbindgen 0.6.7
+- disable elfhack for TW and newer due to build errors
+- removed obsolete patches
+ * mozilla-no-return.patch
+ * mozilla-no-stdcxx-check.patch
+
+-------------------------------------------------------------------
+Thu Oct 25 14:39:04 UTC 2018 - guillaume.gardet@opensuse.org
+
+- Update _constraints for armv6/7
+
+-------------------------------------------------------------------
+Thu Oct 25 08:50:24 UTC 2018 - guillaume.gardet@opensuse.org
+
+- Add patch to fix build on armv7:
+ * mozilla-bmo1463035.patch
+
+-------------------------------------------------------------------
+Tue Oct 2 21:28:31 UTC 2018 - astieger@suse.com
+
+- Mozilla Firefox 62.0.3:
+ MFSA 2018-24
+ * CVE-2018-12386 (bsc#1110506, bmo#1493900)
+ Type confusion in JavaScript allowed remote code execution
+ * CVE-2018-12387 (bsc#1110507, bmo#1493903)
+ Array.prototype.push stack pointer vulnerability may enable
+ exploits in the sandboxed content process
+
+-------------------------------------------------------------------
+Sat Sep 22 09:03:53 UTC 2018 - astieger@suse.com
+
+- Mozilla Firefox 62.0.2:
+ MFSA 2018-22
+ * CVE-2018-12385 (boo#1109363, bmo#1490585)
+ Crash in TransportSecurityInfo due to cached data
+ * Unvisited bookmarks can once again be autofilled in the address
+ bar
+ * Fix WebGL rendering issues
+ * Fix fallback on startup when a language pack is missing
+ * Avoid crash when sharing a profile with newer (as yet
+ unreleased) versions of Firefox
+ * Do not undo removal of search engines when using a language
+ pack
+ * Fixed rendering of some web sites
+ * Restored compatibility with some sites using deprecated TLS
+ settings
+- disable rust debug symbols to fix build on %ix86
+
+-------------------------------------------------------------------
+Mon Sep 3 10:47:43 UTC 2018 - wr@rosenauer.org
+
+- update to Firefox 62.0
+ * Firefox Home (the default New Tab) now allows users to display
+ up to 4 rows of top sites, Pocket stories, and highlights
+ * "Reopen in Container" tab menu option appears for users with
+ Containers that lets them choose to reopen a tab in a different
+ container
+ * In advance of removing all trust for Symantec-issued certificates
+ in Firefox 63, a preference was added that allows users to distrust
+ certificates issued by Symantec. To use this preference, go to
+ about:config in the address bar and set the preference
+ "security.pki.distrust_ca_policy" to 2.
+ * Support for CSS Shapes, allowing for richer web page layouts.
+ This goes hand in hand with a brand new Shape Path Editor in the
+ CSS inspector.
+ * CSS Variable Fonts (OpenType Font Variations) support, which makes
+ it possible to create beautiful typography with a single font file
+ * Added Canadian English (en-CA) locale
+ MFSA 2018-20 (bsc#1107343)
+ * CVE-2018-12377 (bmo#1470260)
+ Use-after-free in refresh driver timers
+ * CVE-2018-12378 (bmo#1459383)
+ Use-after-free in IndexedDB
+ * CVE-2018-12379 (bmo#1473113) (updater is disabled for us)
+ Out-of-bounds write with malicious MAR file
+ * CVE-2017-16541 (bmo#1412081)
+ Proxy bypass using automount and autofs
+ * CVE-2018-12381 (bmo#1435319)
+ Dragging and dropping Outlook email message results in page navigation
+ * CVE-2018-12382 (bmo#1479311) (Android only)
+ Addressbar spoofing with javascript URI on Firefox for Android
+ * CVE-2018-12383 (bmo#1475775)
+ Setting a master password post-Firefox 58 does not delete
+ unencrypted previously stored passwords
+ * CVE-2018-12375
+ Memory safety bugs fixed in Firefox 62
+ * CVE-2018-12376
+ Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2
+- requires NSS >= 3.38
+- removed obsolete patch
+ mozilla-bmo1464766.patch
+
+-------------------------------------------------------------------
+Thu Aug 9 14:22:00 UTC 2018 - wr@rosenauer.org
+
+- update to Firefox 61.0.2
+ * Improved website rendering with the Retained Display List feature
+ enabled (bmo#1474402)
+ * Fixed broken DevTools panels with certain extensions installed
+ (bmo#1474379)
+ * Fixed a crash for users with some accessibility tools enabled
+ (bmo#1474007)
+
+-------------------------------------------------------------------
+Mon Jul 9 07:22:09 UTC 2018 - astieger@suse.com
+
+- Mozilla Firefox 61.0.1:
+ * Fix missing content on the New Tab Page and the Home section of
+ the Preferences page (bmo#1471375)
+ * Fixed loss of bookmarks under rare circumstances when upgrading
+ from Firefox 60 (bmo#1472127)
+ * Improved playback of Twitch 1080p video streams (bmo#1469257)
+ * Web pages no longer lose focus when a browser popup window is
+ opened (bmo#1471415)
+ * Re-allowed downloading files from FTP sites via the "Save Link
+ As" option when linked from HTTP pages (bmo#1470295)
+ * Fixed extensions being unable to override the default homepage
+ in certain situations (bmo#1466846)
+
+-------------------------------------------------------------------
+Sat Jun 23 07:25:51 UTC 2018 - wr@rosenauer.org
+
+- update to Firefox 61.0
+ * Performance enhancements
+ * Various improvements for dark theme support will provide a more
+ consistent experience across the entire Firefox UI
+ * OpenSearch plugins offered by web pages can now be added from the
+ page action menu for easier installation
+ * Improved support for allowing WebExtensions to manage and hide tabs
+ MFSA 2018-15 (bsc#1098998)
+ * CVE-2018-12359 (bmo#1459162)
+ Buffer overflow using computed size of canvas element
+ * CVE-2018-12360 (bmo#1459693)
+ Use-after-free when using focus()
+ * CVE-2018-12361 (bmo#1463244)
+ Integer overflow in SwizzleData
+ * CVE-2018-12358 (bmo#1467852)
+ Same-origin bypass using service worker and redirection
+ * CVE-2018-12362 (bmo#1452375)
+ Integer overflow in SSSE3 scaler
+ * CVE-2018-5156 (bmo#1453127)
+ Media recorder segmentation fault when track type is changed during capture
+ * CVE-2018-12363 (bmo#1464784)
+ Use-after-free when appending DOM nodes
+ * CVE-2018-12364 (bmo#1436241)
+ CSRF attacks through 307 redirects and NPAPI plugins
+ * CVE-2018-12365 (bmo#1459206)
+ Compromised IPC child process can list local filenames
+ * CVE-2018-12371 (bmo#1465686)
+ Integer overflow in Skia library during edge builder allocation
+ * CVE-2018-12366 (bmo#1464039)
+ Invalid data handling during QCMS transformations
+ * CVE-2018-12367 (bmo#1462891)
+ Timing attack mitigation of PerformanceNavigationTiming
+ * CVE-2018-12369 (bmo#1454909)
+ WebExtension security permission checks bypassed by embedded experiments
+ * CVE-2018-12370 (bmo#1456652)
+ SameSite cookie protections bypassed when exiting Reader View
+ * CVE-2018-5186 (bmo#1464872,bmo#1463329,bmo#1419373,bmo#1412882,
+ bmo#1413033,bmo#1444673,bmo#1454448,bmo#1453505,bmo#1438671)
+ Memory safety bugs fixed in Firefox 61
+ * CVE-2018-5187 (bmo#1461324,bmo#1414829,bmo#1395246,bmo#1467938,
+ bmo#1461619,bmo#1425930,bmo#1438556,bmo#1454285,bmo#1459568,
+ bmo#1463884)
+ Memory safety bugs fixed in Firefox 60 and Firefox ESR 60.1
+ * CVE-2018-5188 (bmo#1456189,bmo#1456975,bmo#1465898,bmo#1392739,
+ bmo#1451297,bmo#1464063,bmo#1437842,bmo#1442722,bmo#1452576,
+ bmo#1450688,bmo#1458264,bmo#1458270,bmo#1465108,bmo#1464829,
+ bmo#1464079,bmo#1463494,bmo#1458048)
+ Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1, and Firefox ESR 52.9
+- requires NSS 3.37.3
+- requires python >= 3.5 to build
+- removed obsolete patches
+ mozilla-i586-DecoderDoctorLogger.patch
+ mozilla-i586-domPrefs.patch
+ mozilla-fix-skia-aarch64.patch
+ mozilla-bmo1375074.patch
+ mozilla-enable-csd.patch
+- patch for new no-return warnings (mozilla-no-return.patch)
+- do not disable system installed locales (mozilla-bmo1464766.patch)
+
+-------------------------------------------------------------------
+Fri Jun 8 10:52:13 UTC 2018 - bjorn.lie@gmail.com
+
+- Add conditional for pkgconfig(gconf-2.0) BuildRequires, and pass
+ conditional --disable-gconf to configure: no longer pull in
+ obsolete gconf2 for Tumbleweed.
+
+-------------------------------------------------------------------
+Thu Jun 7 12:11:06 UTC 2018 - wr@rosenauer.org
+
+- update to Firefox 60.0.2
+ * requires NSS 3.36.4
+ MFSA 2018-14 (bsc#1096449)
+ * CVE-2018-6126 (bmo#1462682)
+ Heap buffer overflow rasterizing paths in SVG with Skia
+
+-------------------------------------------------------------------
+Wed Jun 6 18:57:52 UTC 2018 - guillaume.gardet@opensuse.org
+
+- Add upstream patch to fix boo#1093059 instead of '-ffixed-x28'
+ workaround:
+ * mozilla-bmo1375074.patch
+
+-------------------------------------------------------------------
+Sat May 26 15:53:25 UTC 2018 - wr@rosenauer.org
+
+- fixed "open with" option under KDE (boo#1094747)
+- workaround crash on startup on aarch64 (boo#1093059)
+ (contributed by guillaume.gardet@arm.com)
+
+-------------------------------------------------------------------
+Wed May 23 08:49:09 UTC 2018 - guillaume.gardet@opensuse.org
+
+- Disable webrtc for aarch64 due to bmo#1434589
+- Add patch to fix skia build on AArch64:
+ * mozilla-fix-skia-aarch64.patch
+
+-------------------------------------------------------------------
+Thu May 17 14:01:18 UTC 2018 - wr@rosenauer.org
+
+- update to Firefox 60.0.1
+ * Avoid overly long cycle collector pauses with some add-ons installed
+ (bmo#1449033)
+ * After unckecking the "Sponsored Stories" option, the New Tab page
+ now immediately stops displaying "Sponsored content" cards (bmo#1458906)
+ * On touchscreen devices, fixed momentum scrolling on non-zoomable pages
+ (bmo#1457743)
+ * Use the right default background when opening tabs or windows in
+ high contrast mode (bmo#1458956)
+ * Restored translations of the Preferences panels when using a
+ language pack (bmo#1461590)
+
+-------------------------------------------------------------------
+Mon May 14 13:37:38 UTC 2018 - pcerny@suse.com
+
+- parellelise locales building
+
+-------------------------------------------------------------------
+Mon May 7 08:32:28 UTC 2018 - wr@rosenauer.org
+
+- update to Firefox 60.0
+ * Added a policy engine that allows customized Firefox deployments
+ in enterprise environments, using Windows Group Policy or a
+ cross-platform JSON file
+ * Applied Quantum CSS to render browser UI
+ * Added support for Web Authentication, allowing the use of USB
+ tokens for authentication to web sites
+ * Locale added: Occitan (oc)
+ MFSA 2018-11 (bsc#1092548)
+ * CVE-2018-5154 (bmo#1443092)
+ Use-after-free with SVG animations and clip paths
+ * CVE-2018-5155 (bmo#1448774)
+ Use-after-free with SVG animations and text paths
+ * CVE-2018-5157 (bmo#1449898)
+ Same-origin bypass of PDF Viewer to view protected PDF files
+ * CVE-2018-5158 (bmo#1452075)
+ Malicious PDF can inject JavaScript into PDF Viewer
+ * CVE-2018-5159 (bmo#1441941)
+ Integer overflow and out-of-bounds write in Skia
+ * CVE-2018-5160 (bmo#1436117)
+ Uninitialized memory use by WebRTC encoder
+ * CVE-2018-5152 (bmo#1415644, bmo#1427289)
+ WebExtensions information leak through webRequest API
+ * CVE-2018-5153 (bmo#1436809)
+ Out-of-bounds read in mixed content websocket messages
+ * CVE-2018-5163 (bmo#1426353)
+ Replacing cached data in JavaScript Start-up Bytecode Cache
+ * CVE-2018-5164 (bmo#1416045)
+ CSP not applied to all multipart content sent with
+ multipart/x-mixed-replace
+ * CVE-2018-5166 (bmo#1437325)
+ WebExtension host permission bypass through filterReponseData
+ * CVE-2018-5167 (bmo#1447969)
+ Improper linkification of chrome: and javascript: content in
+ web console and JavaScript debugger
+ * CVE-2018-5168 (bmo#1449548)
+ Lightweight themes can be installed without user interaction
+ * CVE-2018-5169 (bmo#1319157)
+ Dragging and dropping link text onto home button can set home page
+ to include chrome pages
+ * CVE-2018-5172 (bmo#1436482)
+ Pasted script from clipboard can run in the Live Bookmarks page
+ or PDF viewer
+ * CVE-2018-5173 (bmo#1438025)
+ File name spoofing of Downloads panel with Unicode characters
+ * CVE-2018-5174 (bmo#1447080) (Windows-only)
+ Windows Defender SmartScreen UI runs with less secure behavior
+ for downloaded files in Windows 10 April 2018 Update
+ * CVE-2018-5175 (bmo#1432358)
+ Universal CSP bypass on sites using strict-dynamic in their policies
+ * CVE-2018-5176 (bmo#1442840)
+ JSON Viewer script injection
+ * CVE-2018-5177 (bmo#1451908)
+ Buffer overflow in XSLT during number formatting
+ * CVE-2018-5165 (bmo#1451452)
+ Checkbox for enabling Flash protected mode is inverted in 32-bit
+ Firefox
+ * CVE-2018-5180 (bmo#1444086)
+ heap-use-after-free in mozilla::WebGLContext::DrawElementsInstanced
+ * CVE-2018-5181 (bmo#1424107)
+ Local file can be displayed in noopener tab through drag and
+ drop of hyperlink
+ * CVE-2018-5182 (bmo#1435908)
+ Local file can be displayed from hyperlink dragged and dropped
+ on addressbar
+ * CVE-2018-5151
+ Memory safety bugs fixed in Firefox 60
+ * CVE-2018-5150
+ Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8
+- removed obsolete patches
+ 0001-Bug-1435695-WebRTC-fails-to-build-with-GCC-8-r-dmino.patch
+ mozilla-bmo1005535.patch
+- requires NSPR 4.19 and NSS 3.36.1
+- requires rust 1.24 or higher
+- use upstream source archive and detached signature for
+ source verification
+
+-------------------------------------------------------------------
+Thu May 3 14:33:37 UTC 2018 - guillaume.gardet@opensuse.org
+
+- Fix armv7 build by:
+ * adding RUSTFLAGS="-Cdebuginfo=0"
+ * updating _constraints for %arm
+
+-------------------------------------------------------------------
+Wed May 2 20:46:37 UTC 2018 - wr@rosenauer.org
+
+- do not try CSD on kwin (boo#1091592)
+- fix build in openSUSE:Leap:42.3:Update, use gcc7
+
+-------------------------------------------------------------------
+Tue May 1 14:26:24 UTC 2018 - astieger@suse.com
+
+- Mozilla Firefox 59.0.3:
+ * fixes for platforms other than GNU/Linux
+
+-------------------------------------------------------------------
+Fri Apr 20 12:31:52 UTC 2018 - mliska@suse.cz
+
+- Add 0001-Bug-1435695-WebRTC-fails-to-build-with-GCC-8-r-dmino.patch
+ in order to fix boo#1090362.
+
+-------------------------------------------------------------------
+Mon Apr 2 00:55:45 UTC 2018 - badshah400@gmail.com
+
+- Add back mozilla-enable-csd.patch: New rebased version from
+ Fedora for version 59.0.x.
+
+-------------------------------------------------------------------
+Tue Mar 27 14:07:11 UTC 2018 - schwab@suse.de
+
+- Reduce constraints on aarch64
+
+-------------------------------------------------------------------
+Tue Mar 27 06:40:25 UTC 2018 - wr@rosenauer.org
+
+- update to Firefox 59.0.2
+ * Invalid page rendering with hardware acceleration enabled (bmo#1435472)
+ * Browser keyboard shortcuts (eg copy Ctrl+C) don't work on sites
+ that use those keys with resistFingerprinting enabled (bmo#1433592)
+ * High CPU / memory churn caused by third-party software on some
+ computers (bmo#1446280)
+ * Users who have configured an "automatic proxy configuration URL"
+ and want to reload their proxy settings from the URL will find
+ the Reload button disabled in the Connection Settings dialog when
+ they select Preferences/Options>Network Proxy>Settings... (bmo#1445991)
+ * URL Fragment Identifiers Break Service Worker Responses (bmo#1443850)
+ * User's trying to cancel a print around the time it completes will
+ continue to get intermittent crashes (bmo#1441598)
+ MFSA 2018-10 (bsc#1087059)
+ * CVE-2018-5148 (bmo#1440717)
+ Use-after-free in compositor
+- removed obsolete patch mozilla-bmo1446062.patch
+
+-------------------------------------------------------------------
+Wed Mar 21 17:14:24 UTC 2018 - cgrobertson@suse.com
+
+- Added patches:
+ * mozilla-i586-DecoderDoctorLogger.patch - bmo#1447070
+ fixes non-unified build error
+ * mozilla-i586-domPrefs.patch - DOMPrefs.h
+ fixes 32bit build error
+
+-------------------------------------------------------------------
+Fri Mar 16 06:40:11 UTC 2018 - wr@rosenauer.org
+
+- update to Firefox 59.0.1 (bsc#1085671)
+ MFSA 2018-08
+ * CVE-2018-5146 (bmo#1446062)
+ Vorbis audio processing out of bounds write
+ * CVE-2018-5147 (bmo#1446365)
+ Out of bounds memory write in libtremor
+ (mozilla-bmo1446062.patch)
+
+-------------------------------------------------------------------
+Wed Mar 14 19:27:07 UTC 2018 - cgrobertson@suse.com
+
+- Added patch:
+ * mozilla-bmo1005535.patch:
+ Enable skia_gpu on big endian platforms.
+
+-------------------------------------------------------------------
+Sun Mar 11 22:12:12 UTC 2018 - wr@rosenauer.org
+
+- update to Firefox 59.0
+ * Performance enhancements
+ * Drag-and-drop to rearrange Top Sites on the Firefox Home page
+ * added features for Firefox Screenshots
+ * Enhanced WebExtensions API
+ * Improved RTC capabilities
+ MFSA 2018-06 (bsc#1085130)
+ * CVE-2018-5127 (bmo#1430557)
+ Buffer overflow manipulating SVG animatedPathSegList
+ * CVE-2018-5128 (bmo#1431336)
+ Use-after-free manipulating editor selection ranges
+ * CVE-2018-5129 (bmo#1428947)
+ Out-of-bounds write with malformed IPC messages
+ * CVE-2018-5130 (bmo#1433005)
+ Mismatched RTP payload type can trigger memory corruption
+ * CVE-2018-5131 (bmo#1440775)
+ Fetch API improperly returns cached copies of no-store/no-cache resources
+ * CVE-2018-5132 (bmo#1408194)
+ WebExtension Find API can search privileged pages
+ * CVE-2018-5133 (bmo#1430511, bmo#1430974)
+ Value of the app.support.baseURL preference is not properly sanitized
+ * CVE-2018-5134 (bmo#1429379)
+ WebExtensions may use view-source: URLs to bypass content restrictions
+ * CVE-2018-5135 (bmo#1431371)
+ WebExtension browserAction can inject scripts into unintended contexts
+ * CVE-2018-5136 (bmo#1419166)
+ Same-origin policy violation with data: URL shared workers
+ * CVE-2018-5137 (bmo#1432870)
+ Script content can access legacy extension non-contentaccessible resources
+ * CVE-2018-5138 (bmo#1432624) (Android only)
+ Android Custom Tab address spoofing through long domain names
+ * CVE-2018-5140 (bmo#1424261)
+ Moz-icon images accessible to web content through moz-icon: protocol
+ * CVE-2018-5141 (bmo#1429093)
+ DOS attack through notifications Push API
+ * CVE-2018-5142 (bmo#1366357)
+ Media Capture and Streams API permissions display incorrect origin
+ with data: and blob: URLs
+ * CVE-2018-5143 (bmo#1422643)
+ Self-XSS pasting javascript: URL with embedded tab into addressbar
+ * CVE-2018-5126
+ Memory safety bugs fixed in Firefox 59
+ * CVE-2018-5125
+ Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7
+- requires NSPR 4.18 and NSS 3.35
+- requires rust >= 1.22.1
+- removed obsolete patches:
+ mozilla-alsa-sandbox.patch
+ mozilla-enable-csd.patch
+ firefox-no-default-ualocale.patch
+- removed l10n_changesets.txt since same information is now in
+ Firefox source tree (updated create-tar.sh now requires jq)
+
+-------------------------------------------------------------------
+Fri Feb 9 13:37:46 UTC 2018 - astieger@suse.com
+
+- Mozilla Firefox 58.0.2:
+ * Blocklisted graphics drivers related to off main thread painting
+ crashes
+ * Fix tab crash during printing
+ * Fix clicking links and scrolling emails on Microsoft Hotmail
+ and Outlook (OWA) webmail
+
+-------------------------------------------------------------------
+Fri Feb 9 12:06:31 UTC 2018 - wr@rosenauer.org
+
+- correct requires and provides handling (boo#1076907)
+
+-------------------------------------------------------------------
+Tue Feb 6 07:03:42 UTC 2018 - fstrba@suse.com
+
+- Added patch:
+ * mozilla-alsa-sandbox.patch: Fix bmo#1430274, ALSA sound (still
+ or again?) not working in Firefox 58 due to sandboxing.
+
+-------------------------------------------------------------------
+Mon Jan 29 22:32:21 UTC 2018 - wr@rosenauer.org
+
+- update to Firefox 58.0.1
+ MFSA 2018-05
+ * Arbitrary code execution through unsanitized browser UI (bmo#1432966)
+- use correct language packs
+- readd mozilla-enable-csd.patch as it only lands for FF59 upstream
+- allow larger number of nested elements (mozilla-bmo256180.patch)
+
+-------------------------------------------------------------------
+Tue Jan 23 20:40:57 UTC 2018 - wr@rosenauer.org
+
+- update to Firefox 58.0 (bsc#1077291)
+ * Added Nepali (ne-NP) locale
+ * Added support for form autofill for credit card
+ * Optimize page load by caching JavaScript internal representation
+ MFSA 2018-02
+ * CVE-2018-5091 (bmo#1423086)
+ Use-after-free with DTMF timers
+ * CVE-2018-5092 (bmo#1418074)
+ Use-after-free in Web Workers
+ * CVE-2018-5093 (bmo#1415291)
+ Buffer overflow in WebAssembly during Memory/Table resizing
+ * CVE-2018-5094 (bmo#1415883)
+ Buffer overflow in WebAssembly with garbage collection on
+ uninitialized memory
+ * CVE-2018-5095 (bmo#1418447)
+ Integer overflow in Skia library during edge builder allocation
+ * CVE-2018-5097 (bmo#1387427)
+ Use-after-free when source document is manipulated during XSLT
+ * CVE-2018-5098 (bmo#1399400)
+ Use-after-free while manipulating form input elements
+ * CVE-2018-5099 (bmo#1416878)
+ Use-after-free with widget listener
+ * CVE-2018-5100 (bmo#1417405)
+ Use-after-free when IsPotentiallyScrollable arguments are freed
+ from memory
+ * CVE-2018-5101 (bmo#1417661)
+ Use-after-free with floating first-letter style elements
+ * CVE-2018-5102 (bmo#1419363)
+ Use-after-free in HTML media elements
+ * CVE-2018-5103 (bmo#1423159)
+ Use-after-free during mouse event handling
+ * CVE-2018-5104 (bmo#1425000)
+ Use-after-free during font face manipulation
+ * CVE-2018-5105 (bmo#1390882)
+ WebExtensions can save and execute files on local file system
+ without user prompts
+ * CVE-2018-5106 (bmo#1408708)
+ Developer Tools can expose style editor information cross-origin
+ through service worker
+ * CVE-2018-5107 (bmo#1379276)
+ Printing process will follow symlinks for local file access
+ * CVE-2018-5108 (bmo#1421099)
+ Manually entered blob URL can be accessed by subsequent private browsing tabs
+ * CVE-2018-5109 (bmo#1405599)
+ Audio capture prompts and starts with incorrect origin attribution
+ * CVE-2018-5110 (bmo#1423275) (affects only OS X)
+ Cursor can be made invisible on OS X
+ * CVE-2018-5111 (bmo#1321619)
+ URL spoofing in addressbar through drag and drop
+ * CVE-2018-5112 (bmo#1425224)
+ Extension development tools panel can open a non-relative URL in the panel
+ * CVE-2018-5113 (bmo#1425267)
+ WebExtensions can load non-HTTPS pages with browser.identity.launchWebAuthFlow
+ * CVE-2018-5114 (bmo#1421324)
+ The old value of a cookie changed to HttpOnly remains accessible to scripts
+ * CVE-2018-5115 (bmo#1409449)
+ Background network requests can open HTTP authentication in unrelated foreground tabs
+ * CVE-2018-5116 (bmo#1396399)
+ WebExtension ActiveTab permission allows cross-origin frame content access
+ * CVE-2018-5117 (bmo#1395508)
+ URL spoofing with right-to-left text aligned left-to-right
+ * CVE-2018-5118 (bmo#1420049)
+ Activity Stream images can attempt to load local content through file:
+ * CVE-2018-5119 (bmo#1420507)
+ Reader view will load cross-origin content in violation of CORS headers
+ * CVE-2018-5121 (bmo#1402368) (affects only OS X)
+ OS X Tibetan characters render incompletely in the addressbar
+ * CVE-2018-5122 (bmo#1413841)
+ Potential integer overflow in DoCrypt
+ * CVE-2018-5090
+ Memory safety bugs fixed in Firefox 58
+ * CVE-2018-5089
+ Memory safety bugs fixed in Firefox 58 and Firefox ESR 52.6
+- requires NSS 3.34.1
+- requires rust 1.21
+- removed obsolete patches:
+ mozilla-bindgen-systemlibs.patch
+ mozilla-bmo1360278.patch
+ mozilla-bmo1399611-csd.patch
+ mozilla-rust-1.23.patch
+- rebased patches
+- updated man-page
+
+-------------------------------------------------------------------
+Tue Jan 9 18:48:02 UTC 2018 - wr@rosenauer.org
+
+- fixed build with latest rust (mozilla-rust-1.23.patch)
+
+-------------------------------------------------------------------
+Thu Jan 4 12:23:41 UTC 2018 - wr@rosenauer.org
+
+- update to Firefox 57.0.4
+ MFSA 2018-1: Speculative execution side-channel attack ("Spectre")
+ (boo#1074723)
+
+-------------------------------------------------------------------
+Wed Jan 3 08:29:38 UTC 2018 - wr@rosenauer.org
+
+- fixed regression introduced Oct 10th which made Firefox crash
+ when cancelling the KDE file dialog (boo#1069962)
+
+-------------------------------------------------------------------
+Fri Dec 29 19:52:34 UTC 2017 - astieger@suse.com
+
+- Mozilla Firefox 57.0.3:
+ * Fix a crash reporting issue that inadvertently sends background
+ tab crash reports to Mozilla without user opt-in (bmo#1427111,
+ bsc#1074235)
+- Includes changes from 57.0.2:
+ * fixes for platforms other than GNU/Linux
+
+-------------------------------------------------------------------
+Fri Dec 8 15:52:17 UTC 2017 - dimstar@opensuse.org
+
+- Explicitly buildrequires python2-xml: The build system relies on
+ it. We wrongly relied on other packages pulling it in for us.
+
+-------------------------------------------------------------------
+Thu Dec 7 11:12:31 UTC 2017 - dimstar@opensuse.org
+
+- Escape the usage of %{VERSION} when calling out to rpm.
+ RPM 4.14 has %{VERSION} defined as 'the main packages version'.
+
+-------------------------------------------------------------------
+Wed Nov 29 23:45:03 UTC 2017 - wr@rosenauer.org
+
+- update to Firefox 57.0.1
+ * CVE-2017-7843: Web worker in Private Browsing mode can write
+ IndexedDB data (bsc#1072034, bmo#1410106)
+ * CVE-2017-7844: Visited history information leak through SVG
+ image (bsc#1072036, bmo#1420001)
+ * Fix a video color distortion issue on YouTube and other video
+ sites with some AMD devices (bmo#1417442)
+ * Fix an issue with prefs.js when the profile path has non-ascii
+ characters (bmo#1420427)
+
+-------------------------------------------------------------------
+Tue Nov 21 09:00:48 UTC 2017 - christophe@krop.fr
+
+- Add mozilla-bmo1360278.patch
+ Starting with Firefox 57, the context menu appears on key press.
+ This patch creates a config entry to restore the
+ old behaviour. Without the patch, the mouse gesture extensions
+ require 2 clicks to work (bmo#1360278).
+ The new config entry is named ui.context_menus.after_mouseup
+ (default : false).
+
+-------------------------------------------------------------------
+Sat Nov 18 08:35:21 UTC 2017 - wr@rosenauer.org
+
+- Allow experimental CSD for Gtk3 (bmo#1399611) if available and enabled
+ widget.allow-client-side-decoration=true
+ (mozilla-bmo1399611-csd.patch)
+
+-------------------------------------------------------------------
+Wed Nov 15 06:46:06 UTC 2017 - wr@rosenauer.org
+
+- update to Firefox 57.0 (boo#1068101)
+ * Firefox Quantum
+ * Photon UI
+ * Unified address and search bar
+ * AMD VP9 hardware video decoder support
+ * Added support for Date/Time input
+ * stricter security sandbox blocking filesystem reading and
+ writing on Linux systems
+ * middle mouse paste in the content area no longer navigates to
+ URLs by default on Unix systems
+ MFSA 2017-24
+ * CVE-2017-7828 (bmo#1406750. bmo#1412252)
+ Use-after-free of PressShell while restyling layout
+ * CVE-2017-7830 (bmo#1408990)
+ Cross-origin URL information leak through Resource Timing API
+ * CVE-2017-7831 (bmo#1392026)
+ Information disclosure of exposed properties on JavaScript proxy
+ objects
+ * CVE-2017-7832 (bmo#1408782)
+ Domain spoofing through use of dotless 'i' character followed
+ by accent markers
+ * CVE-2017-7833 (bmo#1370497)
+ Domain spoofing with Arabic and Indic vowel marker characters
+ * CVE-2017-7834 (bmo#1358009)
+ data: URLs opened in new tabs bypass CSP protections
+ * CVE-2017-7835 (bmo#1402363)
+ Mixed content blocking incorrectly applies with redirects
+ * CVE-2017-7836 (bmo#1401339)
+ Pingsender dynamically loads libcurl on Linux and OS X
+ * CVE-2017-7837 (bmo#1325923)
+ SVG loaded as <img> can use meta tags to set cookies
+ * CVE-2017-7838 (bmo#1399540)
+ Failure of individual decoding of labels in international domain
+ names triggers punycode display of entire IDN
+ * CVE-2017-7839 (bmo#1402896)
+ Control characters before javascript: URLs defeats self-XSS
+ prevention mechanism
+ * CVE-2017-7840 (bmo#1366420)
+ Exported bookmarks do not strip script elements from user-supplied
+ tags
+ * CVE-2017-7842 (bmo#1397064)
+ Referrer Policy is not always respected for <link> elements
+ * CVE-2017-7827
+ Memory safety bugs fixed in Firefox 57
+ * CVE-2017-7826
+ Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5
+- requires NSPR 4.17, NSS 3.33 and rustc 1.19
+- rebased patches
+- added mozilla-bindgen-systemlibs.patch to allow stylo build
+ with system libs (bmo#1341234)
+- removed mozilla-language.patch since the whole locale code
+ changed in Firefox and is relying on ICU now
+- removed obsolete mozilla-ucontext.patch
+
+-------------------------------------------------------------------
+Sat Oct 28 06:30:37 UTC 2017 - wr@rosenauer.org
+
+- update to Firefox 56.0.2
+ * Disable Form Autofill completely on user request (bmo#1404531)
+ * Fix for video-related crashes on Windows 7 (bmo#1409141)
+ * Correct detection for 64-bit GSSAPI authentication (bmo#1409275)
+ * Fix for shutdown crash (bmo#1404105)
+
+-------------------------------------------------------------------
+Tue Oct 10 11:47:49 UTC 2017 - wr@rosenauer.org
+
+- update to Firefox 56.0.1
+ * Block D3D11 when using Intel drivers on Windows 7 systems with
+ partial AVX support (bmo#1403353)
+ -> just to sync the version number
+- enable stylo for TW (requires LLVM >= 3.9)
+- queue KDE filepicker requests to avoid non-opening file dialogs
+ happening in certain situations (contributed by Ignaz Forster)
+- the placeholder dot in KDE file dialog in case of empty filenames
+ was removed, apparently not required (anymore)
+ (contributed by Ignaz Forster)
+
+-------------------------------------------------------------------
+Sun Oct 1 18:25:16 UTC 2017 - stefan.bruens@rwth-aachen.de
+
+- Correct plugin directory for aarch64 (boo#1061207). The wrapper
+ script was not detecting aarch64 as a 64 bit architecture, thus
+ used /usr/lib/browser-plugins/.
+
+-------------------------------------------------------------------
+Sat Sep 30 20:10:50 UTC 2017 - zaitor@opensuse.org
+
+- Drop libgnomeui-devel, and replace it with pkgconfig(gconf-2.0),
+ pkgconfig(gtk+-2.0), pkgconfig(gtk+-unix-print-2.0),
+ pkgconfig(glib-2.0), pkgconfig(gobject-2.0) and
+ pkgconfig(gdk-x11-2.0) BuildRequires, align with what configure
+ looks for.
+
+-------------------------------------------------------------------
+Thu Sep 28 08:28:29 UTC 2017 - wr@rosenauer.org
+
+- update to Firefox 56.0 (boo#1060445)
+ * Firefox Screenshots
+ * Find Options/Preferences more quickly with new search function
+ * Media is no longer auto-played when opened in a background tab
+ * Enable CSS Grid Layout View
+ MFSA 2017-21
+ * CVE-2017-7793 (bmo#1371889)
+ Use-after-free with Fetch API
+ * CVE-2017-7817 (bmo#1356596) (Android-only)
+ Firefox for Android address bar spoofing through fullscreen mode
+ * CVE-2017-7818 (bmo#1363723)
+ Use-after-free during ARIA array manipulation
+ * CVE-2017-7819 (bmo#1380292)
+ Use-after-free while resizing images in design mode
+ * CVE-2017-7824 (bmo#1398381)
+ Buffer overflow when drawing and validating elements with ANGLE
+ * CVE-2017-7805 (bmo#1377618) (fixed via NSS requirement)
+ Use-after-free in TLS 1.2 generating handshake hashes
+ * CVE-2017-7812 (bmo#1379842)
+ Drag and drop of malicious page content to the tab bar can open locally stored files
+ * CVE-2017-7814 (bmo#1376036)
+ Blob and data URLs bypass phishing and malware protection warnings
+ * CVE-2017-7813 (bmo#1383951)
+ Integer truncation in the JavaScript parser
+ * CVE-2017-7825 (bmo#1393624, bmo#1390980) (OSX-only)
+ OS X fonts render some Tibetan and Arabic unicode characters as spaces
+ * CVE-2017-7815 (bmo#1368981)
+ Spoofing attack with modal dialogs on non-e10s installations
+ * CVE-2017-7816 (bmo#1380597)
+ WebExtensions can load about: URLs in extension UI
+ * CVE-2017-7821 (bmo#1346515)
+ WebExtensions can download and open non-executable files without user interaction
+ * CVE-2017-7823 (bmo#1396320)
+ CSP sandbox directive did not create a unique origin
+ * CVE-2017-7822 (bmo#1368859)
+ WebCrypto allows AES-GCM with 0-length IV
+ * CVE-2017-7820 (bmo#1378207)
+ Xray wrapper bypass with new tab and web console
+ * CVE-2017-7811
+ Memory safety bugs fixed in Firefox 56
+ * CVE-2017-7810
+ Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4
+- requires NSPR 4.16 and NSS 3.32.1
+- rebased patches
+
+-------------------------------------------------------------------
+Thu Sep 28 07:53:13 UTC 2017 - dimstar@opensuse.org
+
+- Add alsa-devel BuildRequires: we care for ALSA support to be
+ built and thus need to ensure we get the dependencies in place.
+ In the past, alsa-devel was pulled in by accident: we
+ buildrequire libgnome-devel. This required esound-devel and that
+ in turn pulled in alsa-devel for us. libgnome is being fixed to
+ no longer require esound-devel.
+
+-------------------------------------------------------------------
+Mon Sep 4 18:27:44 UTC 2017 - wr@rosenauer.org
+
+- update to Firefox 55.0.3
+ * Fix an issue with addons when using a path containing non-ascii
+ characters (bmo#1389160)
+ * Fix file uploads to some websites, including YouTube (bmo#1383518)
+- fix Google API key build integration
+- add mozilla-ucontext.patch to fix Tumbleweed build
+- do not enable XINPUT2 for now (boo#1053959)
+
+-------------------------------------------------------------------
+Fri Aug 11 08:32:30 UTC 2017 - wr@rosenauer.org
+
+- update to Firefox 55.0.1
+ * Fix a regression the tab restoration process (bmo#1388160)
+ * Fix a problem causing What's new pages not to be displayed (bmo#1386224)
+ * Fix a rendering issue with some PKCS#11 libraries (bmo#1388370)
+ * Disable the predictor prefetch (bmo#1388160)
+
+-------------------------------------------------------------------
+Sat Aug 5 13:22:16 UTC 2017 - wr@rosenauer.org
+
+- update to Firefox 55.0 (boo#1052829)
+ * Browsing sessions with a high number of tabs are now restored
+ in an instant
+ * Sidebar (bookmarks, history, synced tabs) can now be moved to
+ the right edge of the window
+ * Fine-tune your browser performance from the Preferences/Options page.
+ * Make screenshots of webpages, and save them locally or upload
+ them to the cloud. This feature will undergo A/B testing and
+ will not be visible for some users.
+ * Added Belarusian (be) locale
+ * Simplify print jobs from within print preview
+ * Use virtual reality devices with the web with the introduction
+ of WebVR
+ * Search suggestions are now enabled by default for users who
+ haven't explicitly opted-out
+ * Search with any installed search engine directly from the
+ location bar
+ * IMPORTANT: Breaking profile changes - do not downgrade Firefox
+ and use a profile that has been opened with Firefox 55+.
+ * The Adobe Flash plugin is now click-to-activate by default and
+ only allowed on http:// and https:// URL schemes. This change
+ will be rolled out progressively and so will not be visible to
+ all users immediately. For more information see the Firefox
+ plugin roadmap
+ * Modernized application update UI to be less intrusive and more
+ aligned with the rest of the browser. Only users who have not
+ restarted their browser 8 days after downloading an update or
+ users who opted out of automatic updates will see this change.
+ * Insecure sites can no longer access the Geolocation APIs to get
+ access to your physical location
+ * requires NSPR 4.15 and NSS 3.31
+ MFSA 2017-18
+ * CVE-2017-7798 (bmo#1371586, bmo#1372112)
+ XUL injection in the style editor in devtools
+ * CVE-2017-7800 (bmo#1374047)
+ Use-after-free in WebSockets during disconnection
+ * CVE-2017-7801 (bmo#1371259)
+ Use-after-free with marquee during window resizing
+ * CVE-2017-7809 (bmo#1380284)
+ Use-after-free while deleting attached editor DOM node
+ * CVE-2017-7784 (bmo#1376087)
+ Use-after-free with image observers
+ * CVE-2017-7802 (bmo#1378147)
+ Use-after-free resizing image elements
+ * CVE-2017-7785 (bmo#1356985)
+ Buffer overflow manipulating ARIA attributes in DOM
+ * CVE-2017-7786 (bmo#1365189)
+ Buffer overflow while painting non-displayable SVG
+ * CVE-2017-7806 (bmo#1378113)
+ Use-after-free in layer manager with SVG
+ * CVE-2017-7753 (bmo#1353312)
+ Out-of-bounds read with cached style data and pseudo-elements#
+ * CVE-2017-7787 (bmo#1322896)
+ Same-origin policy bypass with iframes through page reloads
+ * CVE-2017-7807 (bmo#1376459)
+ Domain hijacking through AppCache fallback
+ * CVE-2017-7792 (bmo#1368652)
+ Buffer overflow viewing certificates with an extremely long OID
+ * CVE-2017-7804 (bmo#1372849)
+ Memory protection bypass through WindowsDllDetourPatcher
+ * CVE-2017-7791 (bmo#1365875)
+ Spoofing following page navigation with data: protocol and modal alerts
+ * CVE-2017-7808 (bmo#1367531)
+ CSP information leak with frame-ancestors containing paths
+ * CVE-2017-7782 (bmo#1344034)
+ WindowsDllDetourPatcher allocates memory without DEP protections
+ * CVE-2017-7781 (bmo#1352039)
+ Elliptic curve point addition error when using mixed Jacobian-affine coordinates
+ * CVE-2017-7794 (bmo#1374281)
+ Linux file truncation via sandbox broker
+ * CVE-2017-7803 (bmo#1377426)
+ CSP containing 'sandbox' improperly applied
+ * CVE-2017-7799 (bmo#1372509)
+ Self-XSS XUL injection in about:webrtc
+ * CVE-2017-7783 (bmo#1360842)
+ DOS attack through long username in URL
+ * CVE-2017-7788 (bmo#1073952)
+ Sandboxed about:srcdoc iframes do not inherit CSP directives
+ * CVE-2017-7789 (bmo#1074642)
+ Failure to enable HSTS when two STS headers are sent for a connection
+ * CVE-2017-7790 (bmo#1350460) (Windows-only)
+ Windows crash reporter reads extra memory for some non-null-terminated registry values
+ * CVE-2017-7796 (bmo#1234401) (Windows-only)
+ Windows updater can delete any file named update.log
+ * CVE-2017-7797 (bmo#1334776)
+ Response header name interning leaks across origins
+ * CVE-2017-7780
+ Memory safety bugs fixed in Firefox 55
+ * CVE-2017-7779
+ Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3
+- updated mozilla-kde.patch:
+ * removed "downloadfinished" alert as Firefox reimplemented the
+ whole thing (TODO: check if there is another function we should
+ hook in)
+
+-------------------------------------------------------------------
+Tue Jul 4 20:08:47 UTC 2017 - wr@rosenauer.org
+
+- update to Firefox 54.0.1
+ * Fix a display issue of tab title (bmo#1357656)
+ * Fix a display issue of opening new tab (bmo#1371995)
+ * Fix a display issue when opening multiple tabs (bmo#1371962)
+ * Fix a tab display issue when downloading files (bmo#1373109)
+ * Fix a PDF printing issue (bmo#1366744)
+ * Fix a Netflix issue on Linux (bmo#1375708)
+
+-------------------------------------------------------------------
+Thu Jun 15 13:56:05 UTC 2017 - wr@rosenauer.org
+
+- update to Firefox 54.0
+ * Clearer and more detailed information for download items in the
+ download panel
+ * Added Burmese (my) locale
+ * Bookmarks created on mobile devices are now shown in
+ "Mobile Bookmarks” folder in the drop down list from the toolbar
+ and Bookmarks option in the menu bar in Desktop Firefox
+ * added support for multiple content processes (e10s-multi)
+- requires NSPR 4.14 and NSS 3.30.2
+- requires rust 1.15.1
+- removed mozilla-shared-nss-db.patch as it seems to be a rather
+ unused feature
+
+-------------------------------------------------------------------
+Thu Jun 1 04:25:05 UTC 2017 - kah0922@gmail.com
+
+- remove -fno-inline-small-functions and explicitely optimize with
+ -O2 for openSUSE > 13.2/Leap 42 to work with gcc7 (boo#1040105)
+
+-------------------------------------------------------------------
+Wed Apr 26 12:37:38 UTC 2017 - wr@rosenauer.org
+
+- switch to Mozilla's geolocation service (boo#1026989)
+- removed mozilla-preferences.patch obsoleted by overriding via
+ firefox.js
+- fixed KDE integration to avoid crash caused by filepicker
+ (boo#1015998)
+
+-------------------------------------------------------------------
+Mon Apr 17 12:52:10 UTC 2017 - wr@rosenauer.org
+
+- update to Firefox 53.0
+ * requires NSS 3.29.5
+ * Lightweight themes are now applied in private browsing windows
+ * Reader Mode now displays estimated reading time for the page
+ * Two new 'compact' themes available in Firefox, dark and light,
+ based on the Firefox Developer Edition theme
+ * Ended Firefox Linux support for processors older than Pentium 4
+ and AMD Opteron
+ * Refresh of the media controls user interface
+ * Shortened titles on tabs are faded out instead of using ellipsis
+ for improved readability
+ * Media playback on new tabs is blocked until the tab is visible
+ * Permission notifications have a cleaner design and cannot be
+ easily missed
+ MFSA 2017-10
+ * CVE-2017-5456 (bmo#1344415)
+ Sandbox escape allowing local file system access
+ * CVE-2017-5442 (bmo#1347979)
+ Use-after-free during style changes
+ * CVE-2017-5443 (bmo#1342661)
+ Out-of-bounds write during BinHex decoding
+ * CVE-2017-5429 (bmo#1341096, bmo#1342823, bmo#1343261, bmo#1348894,
+ bmo#1348941, bmo#1349340, bmo#1350844, bmo#1352926, bmo#1353088)
+ Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and
+ Firefox ESR 52.1
+ * CVE-2017-5464 (bmo#1347075)
+ Memory corruption with accessibility and DOM manipulation
+ * CVE-2017-5465 (bmo#1347617)
+ Out-of-bounds read in ConvolvePixel
+ * CVE-2017-5466 (bmo#1353975)
+ Origin confusion when reloading isolated data:text/html URL
+ * CVE-2017-5467 (bmo#1347262)
+ Memory corruption when drawing Skia content
+ * CVE-2017-5460 (bmo#1343642)
+ Use-after-free in frame selection
+ * CVE-2017-5461 (bmo#1344380)
+ Out-of-bounds write in Base64 encoding in NSS
+ * CVE-2017-5448 (bmo#1346648)
+ Out-of-bounds write in ClearKeyDecryptor
+ * CVE-2017-5449 (bmo#1340127)
+ Crash during bidirectional unicode manipulation with animation
+ * CVE-2017-5446 (bmo#1343505)
+ Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data
+ * CVE-2017-5447 (bmo#1343552)
+ Out-of-bounds read during glyph processing
+ * CVE-2017-5444 (bmo#1344461)
+ Buffer overflow while parsing application/http-index-format content
+ * CVE-2017-5445 (bmo#1344467)
+ Uninitialized values used while parsing application/http-index-format
+ content
+ * CVE-2017-5468 (bmo#1329521)
+ Incorrect ownership model for Private Browsing information
+ * CVE-2017-5469 (bmo#1292534)
+ Potential Buffer overflow in flex-generated code
+ * CVE-2017-5440 (bmo#1336832)
+ Use-after-free in txExecutionState destructor during XSLT processing
+ * CVE-2017-5441 (bmo#1343795)
+ Use-after-free with selection during scroll events
+ * CVE-2017-5439 (bmo#1336830)
+ Use-after-free in nsTArray Length() during XSLT processing
+ * CVE-2017-5438 (bmo#1336828)
+ Use-after-free in nsAutoPtr during XSLT processing
+ * CVE-2017-5437 (bmo#1343453)
+ Vulnerabilities in Libevent library
+ * CVE-2017-5436 (bmo#1345461)
+ Out-of-bounds write with malicious font in Graphite 2
+ * CVE-2017-5435 (bmo#1350683)
+ Use-after-free during transaction processing in the editor
+ * CVE-2017-5434 (bmo#1349946)
+ Use-after-free during focus handling
+ * CVE-2017-5433 (bmo#1347168)
+ Use-after-free in SMIL animation functions
+ * CVE-2017-5432 (bmo#1346654)
+ Use-after-free in text input selection
+ * CVE-2017-5430 (bmo#1329796, bmo#1337418, bmo#1339722, bmo#1340482,
+ bmo#1342101, bmo#1344081, bmo#1344305, bmo#1344686,
+ bmo#1346140, bmo#1346419, bmo#1348143, bmo#1349621,
+ bmo#1349719, bmo#1353476)
+ Memory safety bugs fixed in Firefox 53 and Firefox ESR 52.1
+ * CVE-2017-5459 (bmo#1333858)
+ Buffer overflow in WebGL
+ * CVE-2017-5458 (bmo#1229426)
+ Drag and drop of javascript: URLs can allow for self-XSS
+ * CVE-2017-5455 (bmo#1341191)
+ Sandbox escape through internal feed reader APIs
+ * CVE-2017-5454 (bmo#1349276)
+ Sandbox escape allowing file system read access through file picker
+ * CVE-2017-5451 (bmo#1273537)
+ Addressbar spoofing with onblur event
+ * CVE-2017-5453 (bmo#1321247)
+ HTML injection into RSS Reader feed preview page through
+ TITLE element
+ * CVE-2017-5462 (bmo#1345089)
+ DRBG flaw in NSS
+- removed browser(npapi) provides as these plugins are deprecated
+- switch used compiler to gcc5 (FF requires gcc >= 4.9 now) for
+ Leap 42
+- Gtk2 is not longer an option; switched to Gtk3
+- apply MOZ_USE_XINPUT2=1 for better touchpad and touchscreen support
+ (boo#1032003)
+
+-------------------------------------------------------------------
+Mon Apr 3 06:16:26 UTC 2017 - wr@rosenauer.org
+
+- update to Firefox 52.0.2
+ * Use Nirmala UI as fallback font for additional Indic languages (bmo#1342787)
+ * Fix loading tab icons on session restore (bmo#1338009)
+ * Fix a crash on startup on Linux (bmo#1345413)
+ * Fix new installs erroneously not prompting to change the default
+ browser setting (bmo#1343938)
+
+-------------------------------------------------------------------
+Mon Mar 20 15:35:57 UTC 2017 - wr@rosenauer.org
+
+- disable rust usage for everything but x86(-64)
+- explicitely add libffi build requirement
+
+-------------------------------------------------------------------
+Fri Mar 17 15:43:29 UTC 2017 - wr@rosenauer.org
+
+- update to Firefox 52.0.1 (boo#1029822)
+ MFSA 2017-08
+ CVE-2017-5428: integer overflow in createImageBitmap() (bmo#1348168)
+
+-------------------------------------------------------------------
+Thu Mar 9 12:30:14 UTC 2017 - wr@rosenauer.org
+
+- reenable ALSA support which was removed by default upstream
+
+-------------------------------------------------------------------
+Sat Mar 4 16:57:45 UTC 2017 - wr@rosenauer.org
+
+- update to Firefox 52.0 (boo#1028391)
+ * requires NSS >= 3.28.3
+ * Pages containing insecure password fields now display a warning
+ directly within username and password fields.
+ * Send and open a tab from one device to another with Sync
+ * Removed NPAPI support for plugins other than Flash. Silverlight,
+ Java, Acrobat and the like are no longer supported.
+ * Removed Battery Status API to reduce fingerprinting of users by
+ trackers
+ * MFSA 2017-05
+ CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP
+ (bmo#1334933)
+ CVE-2017-5401: Memory Corruption when handling ErrorResult
+ (bmo#1328861)
+ CVE-2017-5402: Use-after-free working with events in FontFace
+ objects (bmo#1334876)
+ CVE-2017-5403: Use-after-free using addRange to add range to an
+ incorrect root object (bmo#1340186)
+ CVE-2017-5404: Use-after-free working with ranges in selections
+ (bmo#1340138)
+ CVE-2017-5406: Segmentation fault in Skia with canvas operations
+ (bmo#1306890)
+ CVE-2017-5407: Pixel and history stealing via floating-point
+ timing side channel with SVG filters (bmo#1336622)
+ CVE-2017-5410: Memory corruption during JavaScript garbage
+ collection incremental sweeping (bmo#1330687)
+ CVE-2017-5408: Cross-origin reading of video captions in violation
+ of CORS (bmo#1313711)
+ CVE-2017-5412: Buffer overflow read in SVG filters (bmo#1328323)
+ CVE-2017-5413: Segmentation fault during bidirectional operations
+ (bmo#1337504)
+ CVE-2017-5414: File picker can choose incorrect default directory
+ (bmo#1319370)
+ CVE-2017-5415: Addressbar spoofing through blob URL (bmo#1321719)
+ CVE-2017-5416: Null dereference crash in HttpChannel (bmo#1328121)
+ CVE-2017-5417: Addressbar spoofing by draging and dropping URLs
+ (bmo#791597)
+ CVE-2017-5426: Gecko Media Plugin sandbox is not started if
+ seccomp-bpf filter is running (bmo#1257361)
+ CVE-2017-5427: Non-existent chrome.manifest file loaded during
+ startup (bmo#1295542)
+ CVE-2017-5418: Out of bounds read when parsing HTTP digest
+ authorization responses (bmo#1338876)
+ CVE-2017-5419: Repeated authentication prompts lead to DOS
+ attack (bmo#1312243)
+ CVE-2017-5420: Javascript: URLs can obfuscate addressbar
+ location (bmo#1284395)
+ CVE-2017-5405: FTP response codes can cause use of
+ uninitialized values for ports (bmo#1336699)
+ CVE-2017-5421: Print preview spoofing (bmo#1301876)
+ CVE-2017-5422: DOS attack by using view-source: protocol
+ repeatedly in one hyperlink (bmo#1295002)
+ CVE-2017-5399: Memory safety bugs fixed in Firefox 52
+ CVE-2017-5398: Memory safety bugs fixed in Firefox 52 and
+ Firefox ESR 45.8
+- removed obsolete patches
+ * mozilla-binutils-visibility.patch
+ * mozilla-check_return.patch
+ * mozilla-disable-skia-be.patch
+ * mozilla-skia-overflow.patch
+ * mozilla-skia-ppc-endianess.patch
+- rebased patches
+- enable rust usage for Tumbleweed
+
+-------------------------------------------------------------------
+Fri Jan 27 20:25:59 UTC 2017 - astieger@suse.com
+
+- Mozilla Firefox 51.0.1:
+ - Multiprocess incompatibility did not correctly register with
+ some add-ons (bmo#1333423)
+
+-------------------------------------------------------------------
+Fri Jan 20 13:57:56 UTC 2017 - wr@rosenauer.org
+
+- update to Firefox 51.0
+ * requires NSPR >= 4.13.1, NSS >= 3.28.1
+ * Added support for FLAC (Free Lossless Audio Codec) playback
+ * Added support for WebGL 2
+ * Added Georgian (ka) and Kabyle (kab) locales
+ * Support saving passwords for forms without 'submit' events
+ * Improved video performance for users without GPU acceleration
+ * Zoom indicator is shown in the URL bar if the zoom level is not
+ at default level
+ * View passwords from the prompt before saving them
+ * Remove Belarusian (be) locale
+ * Use Skia for content rendering (Linux)
+ * MFSA 2017-01
+ CVE-2017-5375: Excessive JIT code allocation allows bypass of
+ ASLR and DEP (bmo#1325200, boo#1021814)
+ CVE-2017-5376: Use-after-free in XSL (bmo#1311687, boo#1021817)
+ CVE-2017-5377: Memory corruption with transforms to create
+ gradients in Skia (bmo#1306883, boo#1021826)
+ CVE-2017-5378: Pointer and frame data leakage of Javascript objects
+ (bmo#1312001, bmo#1330769, boo#1021818)
+ CVE-2017-5379: Use-after-free in Web Animations
+ (bmo#1309198,boo#1021827)
+ CVE-2017-5380: Potential use-after-free during DOM manipulations
+ (bmo#1322107, boo#1021819)
+ CVE-2017-5390: Insecure communication methods in Developer Tools
+ JSON viewer (bmo#1297361, boo#1021820)
+ CVE-2017-5389: WebExtensions can install additional add-ons via
+ modified host requests (bmo#1308688, boo#1021828)
+ CVE-2017-5396: Use-after-free with Media Decoder
+ (bmo#1329403, boo#1021821)
+ CVE-2017-5381: Certificate Viewer exporting can be used to navigate
+ and save to arbitrary filesystem locations
+ (bmo#1017616, boo#1021830)
+ CVE-2017-5382: Feed preview can expose privileged content errors
+ and exceptions (bmo#1295322, boo#1021831)
+ CVE-2017-5383: Location bar spoofing with unicode characters
+ (bmo#1323338, bmo#1324716, boo#1021822)
+ CVE-2017-5384: Information disclosure via Proxy Auto-Config (PAC)
+ (bmo#1255474, boo#1021832)
+ CVE-2017-5385: Data sent in multipart channels ignores referrer-policy
+ response headers (bmo#1295945, boo#1021833)
+ CVE-2017-5386: WebExtensions can use data: protocol to affect other
+ extensions (bmo#1319070, boo#1021823)
+ CVE-2017-5394: Android location bar spoofing using fullscreen and
+ JavaScript events (bmo#1222798)
+ CVE-2017-5391: Content about: pages can load privileged about: pages
+ (bmo#1309310, boo#1021835)
+ CVE-2017-5392: Weak references using multiple threads on weak proxy
+ objects lead to unsafe memory usage (bmo#1293709)
+ (Android only)
+ CVE-2017-5393: Remove addons.mozilla.org CDN from whitelist for
+ mozAddonManager (bmo#1309282, boo#1021837)
+ CVE-2017-5395: Android location bar spoofing during scrolling
+ (bmo#1293463) (Android only)
+ CVE-2017-5387: Disclosure of local file existence through TRACK
+ tag error messages (bmo#1295023, boo#1021839)
+ CVE-2017-5388: WebRTC can be used to generate a large amount of
+ UDP traffic for DDOS attacks
+ (bmo#1281482, boo#1021840)
+ CVE-2017-5374: Memory safety bugs fixed in Firefox 51 (boo#1021841)
+ CVE-2017-5373: Memory safety bugs fixed in Firefox 51 and
+ Firefox ESR 45.7 (boo#1021824)
+- switch Firefox to Gtk3 for Tumbleweed
+- removed obsolete patches
+ * mozilla-flex_buffer_overrun.patch
+- updated RPM locale support tag
+- improve recognition of LANGUAGE env variable (boo#1017174)
+- add upstream patch to fix PPC64LE (bmo#1319389)
+ (mozilla-skia-ppc-endianess.patch)
+- fix build without skia (big endian archs) (bmo#1319374)
+ (mozilla-disable-skia-be.patch)
+
+-------------------------------------------------------------------
+Mon Dec 12 21:18:41 UTC 2016 - wr@rosenauer.org
+
+- update to Firefox 50.1.0 (boo#1015422)
+ * MFSA 2016-94
+ CVE-2016-9894: Buffer overflow in SkiaGL (bmo#1306628)
+ CVE-2016-9899: Use-after-free while manipulating DOM events and
+ audio elements (bmo#1317409)
+ CVE-2016-9895: CSP bypass using marquee tag (bmo#1312272)
+ CVE-2016-9896: Use-after-free with WebVR (bmo#1315543)
+ CVE-2016-9897: Memory corruption in libGLES (bmo#1301381)
+ CVE-2016-9898: Use-after-free in Editor while manipulating
+ DOM subtrees (bmo#1314442)
+ CVE-2016-9900: Restricted external resources can be loaded by
+ SVG images through data URLs (bmo#1319122)
+ CVE-2016-9904: Cross-origin information leak in shared atoms
+ (bmo#1317936)
+ CVE-2016-9901: Data from Pocket server improperly sanitized
+ before execution (bmo#1320057)
+ CVE-2016-9902: Pocket extension does not validate the origin
+ of events (bmo#1320039)
+ CVE-2016-9903: XSS injection vulnerability in add-ons SDK
+ (bmo#1315435)
+ CVE-2016-9080: Memory safety bugs fixed in Firefox 50.1
+ CVE-2016-9893: Memory safety bugs fixed in Firefox 50.1 and
+ Firefox ESR 45.6
+
+-------------------------------------------------------------------
+Fri Dec 9 17:57:22 UTC 2016 - cgrobertson@novell.com
+
+- added patch mozilla-aarch64-startup-crash.patch (bsc#1011922)
+
+-------------------------------------------------------------------
+Thu Dec 1 02:49:45 UTC 2016 - wr@rosenauer.org
+
+- update to Firefox 50.0.2
+ * Firefox crashes with 3rd party Chinese IME when using IME text
+ (50.0.1)
+ security fixes (in 50.0.1): (boo#1012807)
+ * MFSA 2016-91
+ CVE-2016-9078: data: URL can inherit wrong origin after an
+ HTTP redirect (bmo#1317641)
+ security fixes (in 50.0.2) (boo#1012964)
+ * MFSA 2016-92
+ CVE-2016-9079: Use-after-free in SVG Animation (bmo#1321066)
+
+-------------------------------------------------------------------
+Mon Nov 14 21:07:03 UTC 2016 - wr@rosenauer.org
+
+- update to Firefox 50.0 (boo#1009026)
+ * requires NSS 3.26.2
+ new features
+ * Updates to keyboard shortcuts
+ Set a preference to have Ctrl+Tab cycle through tabs in recently
+ used order
+ View a page in Reader Mode by using Ctrl+Alt+R
+ * Added option to Find in page that allows users to limit search to
+ whole words only
+ * Added download protection for a large number of executable file
+ types on Windows, Mac and Linux
+ * Fixed rendering of dashed and dotted borders with rounded corners
+ (border-radius)
+ * Added a built-in Emoji set for operating systems without native
+ Emoji fonts (Windows 8.0 and lower and Linux)
+ * Blocked versions of libavcodec older than 54.35.1
+ * additional locale
+ security fixes:
+ * MFSA 2016-89
+ CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1
+ (bmo#1292443)
+ CVE-2016-5292: URL parsing causes crash (bmo#1288482)
+ CVE-2016-5293: Write to arbitrary file with updater and moz
+ maintenance service using updater.log hardlink
+ (Windows only) (bmo#1246945)
+ CVE-2016-5294: Arbitrary target directory for result files of
+ update process (Windows only) (bmo#1246972)
+ CVE-2016-5297: Incorrect argument length checking in Javascript
+ (bmo#1303678)
+ CVE-2016-9064: Addons update must verify IDs match between
+ current and new versions (bmo#1303418)
+ CVE-2016-9065: Firefox for Android location bar spoofing usingfullscreen
+ (Android only) (bmo#1306696)
+ CVE-2016-9066: Integer overflow leading to a buffer overflow in
+ nsScriptLoadHandler (bmo#1299686)
+ CVE-2016-9067: heap-use-after-free in nsINode::ReplaceOrInsertBefore
+ (bmo#1301777, bmo#1308922 (CVE-2016-9069))
+ CVE-2016-9068: heap-use-after-free in nsRefreshDriver (bmo#1302973)
+ CVE-2016-9072: 64-bit NPAPI sandbox isn't enabled on fresh profile
+ (bmo#1300083) (Windows only)
+ CVE-2016-9075: WebExtensions can access the mozAddonManager API
+ and use it to gain elevated privileges (bmo#1295324)
+ CVE-2016-9077: Canvas filters allow feDisplacementMaps to be applied
+ to cross-origin images, allowing timing attacks on them
+ (bmo#1298552)
+ CVE-2016-5291: Same-origin policy violation using local HTML file
+ and saved shortcut file (bmo#1292159)
+ CVE-2016-5295: Mozilla Maintenance Service: Ability to read
+ arbitrary files as SYSTEM (Windows only) (bmo#1247239)
+ CVE-2016-5298: SSL indicator can mislead the user about the real
+ URL visited (bmo#1227538) (Android only)
+ CVE-2016-5299: Firefox AuthToken in broadcast protected with
+ signature-level permission can be accessed by an
+ application installed beforehand that defines the
+ same permissions (bmo#1245791) (Android only)
+ CVE-2016-9061: API Key (glocation) in broadcast protected with
+ signature-level permission can be accessed by an
+ application installed beforehand that defines the
+ same permissions (Android only) (bmo#1245795)
+ CVE-2016-9062: Private browsing browser traces (android) in
+ browser.db and wal file (Android only) (bmo#1294438)
+ CVE-2016-9070: Sidebar bookmark can have reference to chrome window
+ (bmo#1281071)
+ CVE-2016-9073: windows.create schema doesn't specify "format": "relativeUrl"
+ (bmo#1289273)
+ CVE-2016-9074: Insufficient timing side-channel resistance in
+ divSpoiler (bmo#1293334) (fixed via NSS 3.26.1)
+ CVE-2016-9076: select dropdown menu can be used for URL bar
+ spoofing on e10s (bmo#1276976)
+ CVE-2016-9063: Possible integer overflow to fix inside XML_Parse
+ in expat (bmo#1274777)
+ CVE-2016-9071: Probe browser history via HSTS/301 redirect + CSP
+ (bmo#1285003)
+ CVE-2016-5289: Memory safety bugs fixed in Firefox 50
+ CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5
+- make aarch64 build more similar to x86_64 build (remove conditionals
+ that don't seem to be necessary anymore)
+
+-------------------------------------------------------------------
+Mon Oct 24 09:41:17 UTC 2016 - astieger@suse.com
+
+- Mozilla Firefox 49.0.2:
+ * CVE-2016-5287: Crash in nsTArray_base (bsc#1006475)
+ * CVE-2016-5288: Web content can read cache entries (bsc#1006476)
+ * Asynchronous rendering of the Flash plugins is now enabled by
+ default
+ * Change D3D9 default fallback preference to prevent graphical
+ artifacts
+ * Network issue prevents some users from seeing the Firefox UI on
+ startup
+ * Web compatibility issue with file uploads
+ * Web compatibility issue with Array.prototype.values
+ * Diagnostic information on timing for tab switching
+ * Fix a Canvas filters graphics issue affecting HTML5 apps
+
+-------------------------------------------------------------------
+Wed Oct 12 20:42:28 UTC 2016 - badshah400@gmail.com
+
+- Drop mozilla-gtk3_20.patch; obsoleted by Firefox version 49.0
+ and fixes have been incorporated by upstream.
+
+-------------------------------------------------------------------
+Fri Sep 23 20:36:39 UTC 2016 - astieger@suse.com
+
+- Mozilla Firefox 49.0.1:
+ * Mitigate a startup crash issue caused by Websense - bmo#1304783
+
+-------------------------------------------------------------------
+Tue Sep 20 07:09:52 UTC 2016 - wr@rosenauer.org
+
+- update to Firefox 49.0 (boo#999701)
+ new features
+ * Updated Firefox Login Manager to allow HTTPS pages to use saved
+ HTTP logins.
+ * Added features to Reader Mode that make it easier on the eyes and
+ the ears
+ * Improved video performance for users on systems that support
+ SSE3 without hardware acceleration
+ * Added context menu controls to HTML5 audio and video that let users
+ loops files or play files at 1.25x speed
+ * Improvements in about:memory reports for tracking font memory usage
+ security related
+ * MFSA 2016-85
+ CVE-2016-2827 (bmo#1289085) - Out-of-bounds read in
+ mozilla::net::IsValidReferrerPolicy
+ CVE-2016-5270 (bmo#1291016) - Heap-buffer-overflow in
+ nsCaseTransformTextRunFactory::TransformString
+ CVE-2016-5271 (bmo#1288946) - Out-of-bounds read in
+ PropertyProvider::GetSpacingInternal
+ CVE-2016-5272 (bmo#1297934) - Bad cast in nsImageGeometryMixin
+ CVE-2016-5273 (bmo#1280387) - crash in
+ mozilla::a11y::HyperTextAccessible::GetChildOffset
+ CVE-2016-5276 (bmo#1287721) - Heap-use-after-free in
+ mozilla::a11y::DocAccessible::ProcessInvalidationList
+ CVE-2016-5274 (bmo#1282076) - use-after-free in
+ nsFrameManager::CaptureFrameState
+ CVE-2016-5277 (bmo#1291665) - Heap-use-after-free in nsRefreshDriver::Tick
+ CVE-2016-5275 (bmo#1287316) - global-buffer-overflow in
+ mozilla::gfx::FilterSupport::ComputeSourceNeededRegions
+ CVE-2016-5278 (bmo#1294677) - Heap-buffer-overflow in
+ nsBMPEncoder::AddImageFrame
+ CVE-2016-5279 (bmo#1249522) - Full local path of files is available
+ to web pages after drag and drop
+ CVE-2016-5280 (bmo#1289970) - Use-after-free in
+ mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap
+ CVE-2016-5281 (bmo#1284690) - use-after-free in DOMSVGLength
+ CVE-2016-5282 (bmo#932335) - Don't allow content to request favicons
+ from non-whitelisted schemes
+ CVE-2016-5283 (bmo#928187) - <iframe src> fragment timing attack can
+ reveal cross-origin data
+ CVE-2016-5284 (bmo#1303127) - Add-on update site certificate pin expiration
+ CVE-2016-5256 - Memory safety bugs fixed in Firefox 49
+ CVE-2016-5257 - Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4
+- removed obsolete patches:
+ * mozilla-aarch64-48bit-va.patch
+ * mozilla-exclude-nametablecpp.patch
+ * mozilla-old_configure-bmo1282843.patch
+- added patch mozilla-skia-overflow.patch (bmo#1304114)
+- requires NSS 3.25
+
+-------------------------------------------------------------------
+Tue Aug 30 20:25:38 UTC 2016 - astieger@suse.com
+
+- Mozilla Firefox 48.0.2:
+ * Mitigate a startup crash issue caused on Windows (bmo#1291738)
+
+-------------------------------------------------------------------
+Sat Aug 20 10:58:26 UTC 2016 - astieger@suse.com
+
+- Mozilla Firefox 48.0.1:
+ * Fix an audio regression impacting some major websites
+ (bmo#1295296)
+ * Fix a top crash in the JavaScript engine (bmo#1290469)
+ * Fix a startup crash issue caused by Websense (bmo#1291738)
+ * Fix a different behavior with e10s / non-e10s on <select> and
+ mouse events (bmo#1291078)
+ * Fix a top crash caused by plugin issues (bmo#1264530)
+ * Fix a shutdown issue (bmo#1276920)
+ * Fix a crash in WebRTC
+
+-------------------------------------------------------------------
+Mon Aug 15 11:24:00 UTC 2016 - wr@rosenauer.org
+
+- added upstream patch so system plugins/extensions are correctly
+ loaded again on x86-64 (bmo#1282843)
+ (mozilla-old_configure-bmo1282843.patch)
+
+-------------------------------------------------------------------
+Fri Aug 5 13:47:12 UTC 2016 - pcerny@suse.com
+
+- Fix for possible buffer overrun (bsc#990856)
+ CVE-2016-6354 (bmo#1292534)
+ [mozilla-flex_buffer_overrun.patch]
+
+-------------------------------------------------------------------
+Wed Aug 3 03:38:47 UTC 2016 - badshah400@gmail.com
+
+- Update mozilla-gtk3_20.patch to latest version from Fedora.
+
+-------------------------------------------------------------------
+Mon Aug 1 12:37:05 UTC 2016 - wr@rosenauer.org
+
+- update to Firefox 48.0 (boo#991809)
+ * requires NSS 3.24
+ * Process separation (e10s) is enabled for some of you
+ * Add-ons that have not been verified and signed by Mozilla will not load
+ * WebRTC embetterments
+ * The media parser has been redeveloped using the Rust programming
+ language
+ * better Canvas performance with speedy Skia support
+ security fixes:
+ * MFSA 2016-62/CVE-2016-2835/CVE-2016-2836
+ Miscellaneous memory safety hazards
+ * MFSA 2016-63/CVE-2016-2830 (bmo#1255270)
+ Favicon network connection can persist when page is closed
+ * MFSA 2016-64/CVE-2016-2838 (bmo#1279814)
+ Buffer overflow rendering SVG with bidirectional content
+ * MFSA 2016-65/CVE-2016-2839 (bmo#1275339)
+ Cairo rendering crash due to memory allocation issue with FFmpeg 0.10
+ * MFSA 2016-66/CVE-2016-5251 (bmo#1255570)
+ Location bar spoofing via data URLs with malformed/invalid mediatypes
+ * MFSA 2016-67/CVE-2016-5252 (bmo#1268854)
+ Stack underflow during 2D graphics rendering
+ * MFSA 2016-68/CVE-2016-0718 (bmo#1236923)
+ Out-of-bounds read during XML parsing in Expat library
+ * MFSA 2016-69/CVE-2016-5253 (bmo#1246944)
+ Arbitrary file manipulation by local user through Mozilla updater
+ and callback application path parameter (Windows-only)
+ * MFSA 2016-70/CVE-2016-5254 (bmo#1266963)
+ Use-after-free when using alt key and toplevel menus
+ * MFSA 2016-71/CVE-2016-5255 (bmo#1212356)
+ Crash in incremental garbage collection in JavaScript
+ * MFSA 2016-72/CVE-2016-5258 (bmo#1279146)
+ Use-after-free in DTLS during WebRTC session shutdown
+ * MFSA 2016-73/CVE-2016-5259 (bmo#1282992)
+ Use-after-free in service workers with nested sync events
+ * MFSA 2016-74/CVE-2016-5260 (bmo#1280294)
+ Form input type change from password to text can store plain
+ text password in session restore file
+ * MFSA 2016-75/CVE-2016-5261 (bmo#1287266)
+ Integer overflow in WebSockets during data buffering
+ * MFSA 2016-76/CVE-2016-5262 (bmo#1277475)
+ Scripts on marquee tag can execute in sandboxed iframes
+ * MFSA 2016-77/CVE-2016-2837 (bmo#1274637)
+ Buffer overflow in ClearKey Content Decryption Module (CDM)
+ during video playback
+ * MFSA 2016-78/CVE-2016-5263 (bmo#1276897)
+ Type confusion in display transformation
+ * MFSA 2016-79/CVE-2016-5264 (bmo#1286183)
+ Use-after-free when applying SVG effects
+ * MFSA 2016-80/CVE-2016-5265 (bmo#1278013)
+ Same-origin policy violation using local HTML file and saved shortcut file
+ * MFSA 2016-81/CVE-2016-5266 (bmo#1226977)
+ Information disclosure and local file manipulation through drag and drop
+ * MFSA 2016-82/CVE-2016-5267 (bmo#1284372)
+ Addressbar spoofing with right-to-left characters on Firefox for Android
+ (Android only)
+ * MFSA 2016-83/CVE-2016-5268 (bmo#1253673)
+ Spoofing attack through text injection into internal error pages
+ * MFSA 2016-84/CVE-2016-5250 (bmo#1254688)
+ Information disclosure through Resource Timing API during page navigation
+- removed obsolete mozilla-gcc6.patch
+
+-------------------------------------------------------------------
+Fri Jul 29 01:26:13 UTC 2016 - badshah400@gmail.com
+
+- Update description and screenshots in appdata.xml file.
+
+-------------------------------------------------------------------
+Sat Jul 23 20:13:08 UTC 2016 - antoine.belvire@laposte.net
+
+- Fix Firefox crash on startup on i586 (boo#986541):
+ * Add -fno-delete-null-pointer-checks and
+ -fno-inline-small-functions to CFLAGS
+
+-------------------------------------------------------------------
+Tue Jul 19 20:12:11 UTC 2016 - mailaender@opensuse.org
+
+- Update the appdata.xml file (replace Windows XP screenshot)
+
+-------------------------------------------------------------------
+Wed Jun 29 09:25:41 UTC 2016 - astieger@suse.com
+
+- Mozilla Firefox 47.0.1:
+ * Selenium WebDriver may cause Firefox to crash at startup
+ (bmo#1280854)
+
+-------------------------------------------------------------------
+Wed Jun 15 07:52:18 UTC 2016 - wr@rosenauer.org
+
+- mozilla-binutils-visibility.patch to fix build issues with
+ gcc/binutils combination used in Leap 42.2 (boo#984637)
+
+-------------------------------------------------------------------
+Tue Jun 14 08:35:03 UTC 2016 - badshah400@gmail.com
+
+- Update mozilla-gtk3_20.patch to latest version from Fedora.
+
+-------------------------------------------------------------------
+Mon Jun 13 20:28:01 UTC 2016 - agraf@suse.com
+
+- Fix running on 48bit va aarch64 (bsc#984126)
+ * add patch mozilla-aarch64-48bit-va.patch
+
+-------------------------------------------------------------------
+Mon Jun 13 15:27:13 UTC 2016 - wr@rosenauer.org
+
+- fix XUL dialog button order under KDE session (boo#984403)
+
+-------------------------------------------------------------------
+Tue Jun 7 19:47:25 UTC 2016 - wr@rosenauer.org
+
+- update to Firefox 47.0 (boo#983549)
+ * Enable VP9 video codec for users with fast machines
+ * Embedded YouTube videos now play with HTML5 video if Flash is
+ not installed
+ * View and search open tabs from your smartphone or another
+ computer in a sidebar
+ * Allow no-cache on back/forward navigations for https resources
+ security fixes:
+ * MFSA 2016-49/CVE-2016-2815/CVE-2016-2818
+ (boo#983638)
+ (bmo#1241896, bmo#1242798, bmo#1243466, bmo#1245743,
+ bmo#1264300, bmo#1271037, bmo#1234147, bmo#1256493,
+ bmo#1256739, bmo#1256968, bmo#1261230, bmo#1261752,
+ bmo#1263384, bmo#1264575, bmo#1265577, bmo#1267130,
+ bmo#1269729, bmo#1273202, bmo#1273701)
+ Miscellaneous memory safety hazards (rv:47.0 / rv:45.2)
+ * MFSA 2016-50/CVE-2016-2819 (boo#983655) (bmo#1270381)
+ Buffer overflow parsing HTML5 fragments
+ * MFSA 2016-51/CVE-2016-2821 (bsc#983653) (bmo#1271460)
+ Use-after-free deleting tables from a contenteditable document
+ * MFSA 2016-52/CVE-2016-2822 (boo#983652) (bmo#1273129)
+ Addressbar spoofing though the SELECT element
+ * MFSA 2016-53/CVE-2016-2824 (boo#983651) (bmo#1248580)
+ Out-of-bounds write with WebGL shader
+ * MFSA 2016-54/CVE-2016-2825 (boo#983649) (bmo#1193093)
+ Partial same-origin-policy through setting location.host
+ through data URI
+ * MFSA 2016-56/CVE-2016-2828 (boo#983646) (bmo#1223810)
+ Use-after-free when textures are used in WebGL operations
+ after recycle pool destruction
+ * MFSA 2016-57/CVE-2016-2829 (boo#983644) (bmo#1248329)
+ Incorrect icon displayed on permissions notifications
+ * MFSA 2016-58/CVE-2016-2831 (boo#983643) (bmo#1261933)
+ Entering fullscreen and persistent pointerlock without user
+ permission
+ * MFSA 2016-59/CVE-2016-2832 (boo#983632) (bmo#1025267)
+ Information disclosure of disabled plugins through CSS
+ pseudo-classes
+ * MFSA 2016-60/CVE-2016-2833 (boo#983640) (bmo#908933)
+ Java applets bypass CSP protections
+ * MFSA 2016-62/CVE-2016-2834 (boo#983639) (bmo#1206283,
+ bmo#1221620, bmo#1241034, bmo#1241037)
+ Network Security Services (NSS) vulnerabilities
+ fixed by requiring NSS 3.23
+ packaging changes:
+ * cleanup configure options (boo#981695):
+ - notably remove GStreamer support which is gone from FF
+ * remove obsolete patches
+ - mozilla-libproxy.patch
+ - mozilla-repo.patch
+
+-------------------------------------------------------------------
+Wed May 25 16:36:23 UTC 2016 - badshah400@gmail.com
+
+- The conditional testing for gcc was failing for different
+ openSUSE versions, drop it and apply patches unconditionally.
+
+-------------------------------------------------------------------
+Mon May 23 15:30:27 UTC 2016 - badshah400@gmail.com
+
+- Add patches to fix building with gcc6:
+ + mozilla-gcc6.patch: fix building with gcc >= 6.1; patch
+ taken from upstream:
+ https://hg.mozilla.org/mozilla-central/rev/55212130f19d.
+ + mozilla-exclude-nametablecpp.patch: Exclude NameTable.cpp
+ from unified compilation because #include <cmath> in other
+ source files causes gcc6 compilation failure; patch taken from
+ upstream:
+ https://hg.mozilla.org/mozilla-central/rev/9c57b7cacffc.
+
+-------------------------------------------------------------------
+Fri May 13 00:00:00 CEST 2016 - dsterba@suse.cz
+
+- enable build with PIE and full relro on x86_64 (boo#980384)
+
+-------------------------------------------------------------------
+Wed May 4 10:27:43 UTC 2016 - wr@rosenauer.org
+
+- update to Firefox 46.0.1
+ Fixed:
+ * Search plugin issue for various locales
+ * Add-on signing certificate expiration
+ * Service worker update issue
+ * Build issue when jit is disabled
+ * Limit Sync registration updates
+- removed now obsolete mozilla-jit_branch64.patch
+
+-------------------------------------------------------------------
+Tue May 3 15:47:18 UTC 2016 - normand@linux.vnet.ibm.com
+
+- add mozilla-jit_branch64.patch to avoid PowerPC build failure
+ (from bmo#1266366)
+
+-------------------------------------------------------------------
+Wed Apr 27 08:39:28 UTC 2016 - badshah400@gmail.com
+
+- Update mozilla-gtk3_20.patch for Firefox 46.0 (sync to latest
+ version from Fedora).
+
+-------------------------------------------------------------------
+Wed Apr 27 06:09:30 UTC 2016 - wr@rosenauer.org
+
+- update to Firefox 46.0 (boo#977333)
+ * Improved security of the JavaScript Just In Time (JIT) Compiler
+ * WebRTC fixes to improve performance and stability
+ * Added support for document.elementsFromPoint
+ * Added HKDF support for Web Crypto API
+ * requires NSPR 4.12 and NSS 3.22.3
+ * added patch to fix unchecked return value
+ mozilla-check_return.patch
+ * Gtk3 builds not supported at the moment
+ security fixes:
+ * MFSA 2016-39/CVE-2016-2804/CVE-2016-2806/CVE-2016-2807
+ (boo#977373, boo#977375, boo#977376)
+ Miscellaneous memory safety hazards
+ * MFSA 2016-40/CVE-2016-2809 (bmo#1212939, boo#977377)
+ Privilege escalation through file deletion by Maintenance Service updater
+ (Windows only)
+ * MFSA 2016-41/CVE-2016-2810 (bmo#1229681, boo#977378)
+ Content provider permission bypass allows malicious application
+ to access data (Android only)
+ * MFSA 2016-42/CVE-2016-2811/CVE-2016-2812
+ (bmo#1252330, bmo#1261776, boo#977379)
+ Use-after-free and buffer overflow in Service Workers
+ * MFSA 2016-43/CVE-2016-2813 (bmo#1197901, bmo#2714650, boo#977380)
+ Disclosure of user actions through JavaScript with motion and
+ orientation sensors (only affects mobile variants)
+ * MFSA 2016-44/CVE-2016-2814 (bmo#1254721, boo#977381)
+ Buffer overflow in libstagefright with CENC offsets
+ * MFSA 2016-45/CVE-2016-2816 (bmo#1223743, boo#977382)
+ CSP not applied to pages sent with multipart/x-mixed-replace
+ * MFSA 2016-46/CVE-2016-2817 (bmo#1227462, boo#977384)
+ Elevation of privilege with chrome.tabs.update API in web extensions
+ * MFSA 2016-47/CVE-2016-2808 (bmo#1246061, boo#977386)
+ Write to invalid HashMap entry through JavaScript.watch()
+ * MFSA 2016-48/CVE-2016-2820 (bmo#870870, boo#977388)
+ Firefox Health Reports could accept events from untrusted domains
+
+-------------------------------------------------------------------
+Thu Apr 21 12:00:28 UTC 2016 - badshah400@gmail.com
+
+- Update mozilla-gtk3_20.patch to fix scrollbar appearance under
+ gtk >= 3.20 (patch synced to Fedora's version).
+
+-------------------------------------------------------------------
+Tue Apr 12 19:11:30 UTC 2016 - badshah400@gmail.com
+
+- Compile against gtk3 depending on whether the macro
+ %firefox_use_gtk3 is defined or not (e.g., at the prjconf
+ level); macro is undefined by default and so gtk2 is used as the
+ default toolkit.
+- Add BuildRequires for additional packages needed when building
+ against gtk3: pkgconfig(glib-2.0), pkgconfig(gobject-2.0),
+ pkgconfig(gtk+-3.0) >= 3.4.0, pkgconfig(gtk+-unix-print-3.0).
+- Add firefox-gtk3_20.patch to fix appearance with gtk3 >= 3.20;
+ patch taken from Fedora (bmo#1230955).
+
+-------------------------------------------------------------------
+Mon Apr 11 22:49:24 UTC 2016 - astieger@suse.com
+
+- Mozilla Firefox 45.0.2:
+ * Fix an issue impacting the cookie header when third-party
+ cookies are blocked (bmo#1257861)
+ * Fix a web compatibility regression impacting the srcset
+ attribute of the image tag (bmo#1259482)
+ * Fix a crash impacting the video playback with Media Source
+ Extension (bmo#1258562)
+ * Fix a regression impacting some specific uploads (bmo#1255735)
+ * Fix a regression with the copy and paste with some old versions
+ of some Gecko applications like Thunderbird (bmo#1254980)
+
+-------------------------------------------------------------------
+Fri Mar 18 08:52:58 UTC 2016 - astieger@suse.com
+
+- Mozilla Firefox 45.0.1:
+ * Fix a regression causing search engine settings to be lost in
+ some context (bmo#1254694)
+ * Bring back non-standard jar: URIs to fix a regression in IBM
+ iNotes (bmo#1255139)
+ * XSLTProcessor.importStylesheet was failing when <import> was
+ used (bmo#1249572)
+ * Fix an issue which could cause the list of search provider to
+ be empty (bmo#1255605)
+ * Fix a regression when using the location bar (bmo#1254503)
+ * Fix some loading issues when Accept third-party cookies: was
+ set to Never (bmo#1254856)
+ * Disabled Graphite font shaping library
+
+-------------------------------------------------------------------
+Sun Mar 6 19:52:13 UTC 2016 - wr@rosenauer.org
+
+- update to Firefox 45.0 (boo#969894)
+ * requires NSPR 4.12 / NSS 3.21.1
+ * Instant browser tab sharing through Hello
+ * Synced Tabs button in button bar
+ * Tabs synced via Firefox Accounts from other devices are now shown
+ in dropdown area of Awesome Bar when searching
+ * Introduce a new preference (network.dns.blockDotOnion) to allow
+ blocking .onion at the DNS level
+ * Tab Groups (Panorama) feature removed
+ * MFSA 2016-16/CVE-2016-1952/CVE-2016-1953
+ Miscellaneous memory safety hazards
+ * MFSA 2016-17/CVE-2016-1954 (bmo#1243178)
+ Local file overwriting and potential privilege escalation through
+ CSP reports
+ * MFSA 2016-18/CVE-2016-1955 (bmo#1208946)
+ CSP reports fail to strip location information for embedded iframe pages
+ * MFSA 2016-19/CVE-2016-1956 (bmo#1199923)
+ Linux video memory DOS with Intel drivers
+ * MFSA 2016-20/CVE-2016-1957 (bmo#1227052)
+ Memory leak in libstagefright when deleting an array during MP4
+ processing
+ * MFSA 2016-21/CVE-2016-1958 (bmo#1228754)
+ Displayed page address can be overridden
+ * MFSA 2016-22/CVE-2016-1959 (bmo#1234949)
+ Service Worker Manager out-of-bounds read in Service Worker Manager
+ * MFSA 2016-23/CVE-2016-1960/ZDI-CAN-3545 (bmo#1246014)
+ Use-after-free in HTML5 string parser
+ * MFSA 2016-24/CVE-2016-1961/ZDI-CAN-3574 (bmo#1249377)
+ Use-after-free in SetBody
+ * MFSA 2016-25/CVE-2016-1962 (bmo#1240760)
+ Use-after-free when using multiple WebRTC data channels
+ * MFSA 2016-26/CVE-2016-1963 (bmo#1238440)
+ Memory corruption when modifying a file being read by FileReader
+ * MFSA 2016-27/CVE-2016-1964 (bmo#1243335)
+ Use-after-free during XML transformations
+ * MFSA 2016-28/CVE-2016-1965 (bmo#1245264)
+ Addressbar spoofing though history navigation and Location protocol
+ property
+ * MFSA 2016-29/CVE-2016-1967 (bmo#1246956)
+ Same-origin policy violation using perfomance.getEntries and
+ history navigation with session restore
+ * MFSA 2016-30/CVE-2016-1968 (bmo#1246742)
+ Buffer overflow in Brotli decompression
+ * MFSA 2016-31/CVE-2016-1966 (bmo#1246054)
+ Memory corruption with malicious NPAPI plugin
+ * MFSA 2016-32/CVE-2016-1970/CVE-2016-1971/CVE-2016-1975/
+ CVE-2016-1976/CVE-2016-1972
+ WebRTC and LibVPX vulnerabilities found through code inspection
+ * MFSA 2016-33/CVE-2016-1973 (bmo#1219339)
+ Use-after-free in GetStaticInstance in WebRTC
+ * MFSA 2016-34/CVE-2016-1974 (bmo#1228103)
+ Out-of-bounds read in HTML parser following a failed allocation
+ * MFSA 2016-35/CVE-2016-1950 (bmo#1245528)
+ Buffer overflow during ASN.1 decoding in NSS
+ (fixed by requiring 3.21.1)
+ * MFSA 2016-36/CVE-2016-1979 (bmo#1185033)
+ Use-after-free during processing of DER encoded keys in NSS
+ (fixed by requiring 3.21.1)
+ * MFSA 2016-37/CVE-2016-1977/CVE-2016-2790/CVE-2016-2791/
+ CVE-2016-2792/CVE-2016-2793/CVE-2016-2794/CVE-2016-2795/
+ CVE-2016-2796/CVE-2016-2797/CVE-2016-2798/CVE-2016-2799/
+ CVE-2016-2800/CVE-2016-2801/CVE-2016-2802
+ Font vulnerabilities in the Graphite 2 library
+
+-------------------------------------------------------------------
+Sat Mar 5 15:27:00 UTC 2016 - olaf@aepfle.de
+
+- Remove B_CNT from symbols.zip filename to reduce build-compare noise
+
+-------------------------------------------------------------------
+Fri Feb 26 16:22:52 UTC 2016 - astieger@suse.com
+
+- fix build problems on i586, caused by too large unified compile
+ units - adding mozilla-reduce-files-per-UnifiedBindings.patch
+
+-------------------------------------------------------------------
+Thu Feb 11 07:51:34 UTC 2016 - wr@rosenauer.org
+
+- update to Firefox 44.0.2
+ * MFSA 2016-13/CVE-2016-1949 (bmo#1245724, boo#966438)
+ Same-origin-policy violation using Service Workers with plugins
+ * Fix issue which could lead to the removal of stored passwords
+ under certain circumstances (bmo#1242176)
+ * Allows spaces in cookie names (bmo#1244505)
+ * Disable opus/vorbis audio with H.264 (bmo#1245696)
+ * Fix for graphics startup crash (GNU/Linux) (bmo#1222171)
+ * Fix a crash in cache networking (bmo#1244076)
+ * Fix using WebSockets in service worker controlled pages (bmo#1243942)
+
+-------------------------------------------------------------------
+Sat Jan 30 08:28:17 UTC 2016 - dmueller@suse.com
+
+- build fixes for arm/aarch64:
+ * disable webrtc for arm/aarch64
+ * switch away from openGL-ES backend to default for arm/aarch64
+ since it almost never builds
+ * reenable neon
+- reenable webrtc for powerpc as it seems to build
+
+-------------------------------------------------------------------
+Sun Jan 24 09:33:15 UTC 2016 - wr@rosenauer.org
+
+- update to Firefox 44.0
+ * MFSA 2016-01/CVE-2016-1930/CVE-2016-1931 boo#963633
+ Miscellaneous memory safety hazards
+ * MFSA 2016-02/CVE-2016-1933 (bmo#1231761) boo#963634
+ Out of Memory crash when parsing GIF format images
+ * MFSA 2016-03/CVE-2016-1935 (bmo#1220450) boo#963635
+ Buffer overflow in WebGL after out of memory allocation
+ * MFSA 2016-04/CVE-2015-7208/CVE-2016-1939 (bmo#1191423, bmo#1233784) boo#963637
+ Firefox allows for control characters to be set in cookie names
+ * MFSA 2016-06/CVE-2016-1937 (bmo#724353) boo#963641
+ Missing delay following user click events in protocol handler dialog
+ * MFSA 2016-07/CVE-2016-1938 (bmo#1190248) boo#963731
+ Errors in mp_div and mp_exptmod cryptographic functions in NSS
+ (fixed by requiring NSS 3.21)
+ * MFSA 2016-09/CVE-2016-1942/CVE-2016-1943 (bmo#1189082, bmo#1228590)
+ Addressbar spoofing attacks boo#963643
+ * MFSA 2016-10/CVE-2016-1944/CVE-2016-1945/CVE-2016-1946
+ (bmo#1186621, bmo#1214782, bmo#1232096) boo#963644
+ Unsafe memory manipulation found through code inspection
+ * MFSA 2016-11/CVE-2016-1947 (bmo#1237103) boo#963645
+ Application Reputation service disabled in Firefox 43
+ * requires NSPR 4.11
+ * requires NSS 3.21
+- prepare mozilla-kde.patch for Gtk3 builds
+- rebased patches
+
+-------------------------------------------------------------------
+Mon Jan 11 08:04:24 UTC 2016 - astieger@suse.com
+
+- Mozilla Firefox 43.0.4:
+ * Re-enable SHA-1 certificates to prevent outdated
+ man-in-the-middle security devices from interfering with
+ properly secured SSL/TLS connections (bmo#1236975)
+ * Fix for startup crash for users of a third party antivirus tool
+ (bmo#1235537)
+- The following change was previously in the package as a patch:
+ * Multi-user GNU/Linux download folders can be created
+ (bmo#1233434), removed mozilla-bmo1233434.patch
+
+-------------------------------------------------------------------
+Tue Dec 29 20:29:35 UTC 2015 - wr@rosenauer.org
+
+- update to Firefox 43.0.3
+ * requires NSS 3.20.2 to fix
+ MFSA 2015-150/CVE-2015-7575 (bmo#1158489)
+ MD5 signatures accepted within TLS 1.2 ServerKeyExchange in
+ server signature
+ * various changes to support Windows update (SHA-1 vs. SHA-2)
+ * workaround Youtube user agent detection issue (bmo#1233970)
+- fix file download regression for multi user systems
+ (bmo#1233434) (mozilla-bmo1233434.patch)
+- explicitely requires libXcomposite-devel
+
+-------------------------------------------------------------------
+Sun Dec 13 23:07:56 UTC 2015 - wr@rosenauer.org
+
+- update to Firefox 43.0 (bnc#959277)
+ * Improved API support for m4v video playback
+ * Users can opt-in to receive search suggestions from the Awesome Bar
+ * WebRTC streaming on multiple monitors
+ * User selectable second block list for Private Browsing's Tracking
+ Protection
+ security fixes:
+ * MFSA 2015-134/CVE-2015-7201/CVE-2015-7202
+ Miscellaneous memory safety hazards
+ * MFSA 2015-135/CVE-2015-7204 (bmo#1216130)
+ Crash with JavaScript variable assignment with unboxed objects
+ * MFSA 2015-136/CVE-2015-7207 (bmo#1185256)
+ Same-origin policy violation using perfomance.getEntries and
+ history navigation
+ * MFSA 2015-137/CVE-2015-7208 (bmo#1191423)
+ Firefox allows for control characters to be set in cookies
+ * MFSA 2015-138/CVE-2015-7210 (bmo#1218326)
+ Use-after-free in WebRTC when datachannel is used after being
+ destroyed
+ * MFSA 2015-139/CVE-2015-7212 (bmo#1222809)
+ Integer overflow allocating extremely large textures
+ * MFSA 2015-140/CVE-2015-7215 (bmo#1160890)
+ Cross-origin information leak through web workers error events
+ * MFSA 2015-141/CVE-2015-7211 (bmo#1221444)
+ Hash in data URI is incorrectly parsed
+ * MFSA 2015-142/CVE-2015-7218/CVE-2015-7219 (bmo#1194818, bmo#1194820)
+ DOS due to malformed frames in HTTP/2
+ * MFSA 2015-143/CVE-2015-7216/CVE-2015-7217 (bmo#1197059, bmo#1203078)
+ Linux file chooser crashes on malformed images due to flaws in
+ Jasper library
+ * MFSA 2015-144/CVE-2015-7203/CVE-2015-7220/CVE-2015-7221
+ (bmo#1201183, bmo#1178033, bmo#1199400)
+ Buffer overflows found through code inspection
+ * MFSA 2015-145/CVE-2015-7205 (bmo#1220493)
+ Underflow through code inspection
+ * MFSA 2015-146/CVE-2015-7213 (bmo#1206211)
+ Integer overflow in MP4 playback in 64-bit versions
+ * MFSA 2015-147/CVE-2015-7222 (bmo#1216748)
+ Integer underflow and buffer overflow processing MP4 metadata in
+ libstagefright
+ * MFSA 2015-148/CVE-2015-7223 (bmo#1226423)
+ Privilege escalation vulnerabilities in WebExtension APIs
+ * MFSA 2015-149/CVE-2015-7214 (bmo#1228950)
+ Cross-site reading attack through data and view-source URIs
+- rebased patches
+
+-------------------------------------------------------------------
+Sun Nov 15 19:52:20 UTC 2015 - wr@rosenauer.org
+
+- Add desktop menu action for private browsing window to desktop
+ file (boo#954747)
+- remove obsolete patch mozilla-bmo1005535.patch completely from
+ source package to avoid automatic check failures
+
+-------------------------------------------------------------------
+Sat Oct 31 19:50:03 UTC 2015 - wr@rosenauer.org
+
+- update to Firefox 42.0 (bnc#952810)
+ * Private Browsing with Tracking Protection blocks certain Web
+ elements that could be used to record your behavior across sites
+ * Control Center that contains site security and privacy controls
+ * Login Manager improvements
+ * WebRTC improvements
+ * Indicator added to tabs that play audio with one-click muting
+ * Media Source Extension for HTML5 video available for all sites
+ security fixes:
+ * MFSA 2015-116/CVE-2015-4513/CVE-2015-4514
+ Miscellaneous memory safety hazards
+ * MFSA 2015-117/CVE-2015-4515 (bmo#1046421)
+ Information disclosure through NTLM authentication
+ * MFSA 2015-118/CVE-2015-4518 (bmo#1182778, bmo#1136692)
+ CSP bypass due to permissive Reader mode whitelist
+ * MFSA 2015-119/CVE-2015-7185 (bmo#1149000) (Android only)
+ Firefox for Android addressbar can be removed after fullscreen mode
+ * MFSA 2015-120/CVE-2015-7186 (bmo#1193027) (Android only)
+ Reading sensitive profile files through local HTML file on Android
+ * MFSA 2015-121/CVE-2015-7187 (bmo#1195735)
+ disabling scripts in Add-on SDK panels has no effect
+ * MFSA 2015-122/CVE-2015-7188 (bmo#1199430)
+ Trailing whitespace in IP address hostnames can bypass same-origin policy
+ * MFSA 2015-123/CVE-2015-7189 (bmo#1205900)
+ Buffer overflow during image interactions in canvas
+ * MFSA 2015-124/CVE-2015-7190 (bmo#1208520) (Android only)
+ Android intents can be used on Firefox for Android to open privileged files
+ * MFSA 2015-125/CVE-2015-7191 (bmo#1208956) (Android only)
+ XSS attack through intents on Firefox for Android
+ * MFSA 2015-126/CVE-2015-7192 (bmo#1210023) (OS X only)
+ Crash when accessing HTML tables with accessibility tools on OS X
+ * MFSA 2015-127/CVE-2015-7193 (bmo#1210302)
+ CORS preflight is bypassed when non-standard Content-Type headers
+ are received
+ * MFSA 2015-128/CVE-2015-7194 (bmo#1211262)
+ Memory corruption in libjar through zip files
+ * MFSA 2015-129/CVE-2015-7195 (bmo#1211871)
+ Certain escaped characters in host of Location-header are being
+ treated as non-escaped
+ * MFSA 2015-130/CVE-2015-7196 (bmo#1140616)
+ JavaScript garbage collection crash with Java applet
+ * MFSA 2015-131/CVE-2015-7198/CVE-2015-7199/CVE-2015-7200
+ (bmo#1188010, bmo#1204061, bmo#1204155)
+ Vulnerabilities found through code inspection
+ * MFSA 2015-132/CVE-2015-7197 (bmo#1204269)
+ Mixed content WebSocket policy bypass through workers
+ * MFSA 2015-133/CVE-2015-7181/CVE-2015-7182/CVE-2015-7183
+ (bmo#1202868, bmo#1205157)
+ NSS and NSPR memory corruption issues
+ (fixed in mozilla-nspr and mozilla-nss packages)
+- requires NSPR >= 4.10.10 and NSS >= 3.19.4
+- removed obsolete patches
+ * mozilla-arm-disable-edsp.patch
+ * mozilla-icu-strncat.patch
+ * mozilla-skia-be-le.patch
+ * toolkit-download-folder.patch
+- fixed build with enable-libproxy (bmo#1220399)
+ * mozilla-libproxy.patch
+
+-------------------------------------------------------------------
+Thu Oct 15 08:25:54 UTC 2015 - wr@rosenauer.org
+
+- update to Firefox 41.0.2 (bnc#950686)
+ * MFSA 2015-115/CVE-2015-7184 (bmo#1208339, bmo#1212669)
+ Cross-origin restriction bypass using Fetch
+- added explicit appdata provides (bnc#949983)
+
+-------------------------------------------------------------------
+Sun Oct 4 09:20:56 UTC 2015 - wr@rosenauer.org
+
+- do not build with --enable-stdcxx-compat
+ (this starts to fail build on various toolchain combinations
+ and is not required for openSUSE builds in general
+
+-------------------------------------------------------------------
+Thu Oct 1 09:49:57 UTC 2015 - wr@rosenauer.org
+
+- update to Firefox 41.0.1
+ * Fix a startup crash related to Yandex toolbar and Adblock Plus
+ (bmo#1209124)
+ * Fix potential hangs with Flash plugins (bmo#1185639)
+ * Fix a regression in the bookmark creation (bmo#1206376)
+ * Fix a startup crash with some Intel Media Accelerator 3150
+ graphic cards (bmo#1207665)
+ * Fix a graphic crash, occurring occasionally on Facebook (bmo#1178601)
+
+-------------------------------------------------------------------
+Sat Sep 19 20:23:29 UTC 2015 - wr@rosenauer.org
+
+- update to Firefox 41.0 (bnc#947003)
+ * MFSA 2015-96/CVE-2015-4500/CVE-2015-4501
+ Miscellaneous memory safety hazards
+ * MFSA 2015-97/CVE-2015-4503 (bmo#994337)
+ Memory leak in mozTCPSocket to servers
+ * MFSA 2015-98/CVE-2015-4504 (bmo#1132467)
+ Out of bounds read in QCMS library with ICC V4 profile attributes
+ * MFSA 2015-99/CVE-2015-4476 (bmo#1162372) (Android only)
+ Site attribute spoofing on Android by pasting URL with unknown scheme
+ * MFSA 2015-100/CVE-2015-4505 (bmo#1177861) (Windows only)
+ Arbitrary file manipulation by local user through Mozilla updater
+ * MFSA 2015-101/CVE-2015-4506 (bmo#1192226)
+ Buffer overflow in libvpx while parsing vp9 format video
+ * MFSA 2015-102/CVE-2015-4507 (bmo#1192401)
+ Crash when using debugger with SavedStacks in JavaScript
+ * MFSA 2015-103/CVE-2015-4508 (bmo#1195976)
+ URL spoofing in reader mode
+ * MFSA 2015-104/CVE-2015-4510 (bmo#1200004)
+ Use-after-free with shared workers and IndexedDB
+ * MFSA 2015-105/CVE-2015-4511 (bmo#1200148)
+ Buffer overflow while decoding WebM video
+ * MFSA 2015-106/CVE-2015-4509 (bmo#1198435)
+ Use-after-free while manipulating HTML media content
+ * MFSA 2015-107/CVE-2015-4512 (bmo#1170390)
+ Out-of-bounds read during 2D canvas display on Linux 16-bit
+ color depth systems
+ * MFSA 2015-108/CVE-2015-4502 (bmo#1105045)
+ Scripted proxies can access inner window
+ * MFSA 2015-109/CVE-2015-4516 (bmo#904886)
+ JavaScript immutable property enforcement can be bypassed
+ * MFSA 2015-110/CVE-2015-4519 (bmo#1189814)
+ Dragging and dropping images exposes final URL after redirects
+ * MFSA 2015-111/CVE-2015-4520 (bmo#1200856, bmo#1200869)
+ Errors in the handling of CORS preflight request headers
+ * MFSA 2015-112/CVE-2015-4517/CVE-2015-4521/CVE-2015-4522/
+ CVE-2015-7174/CVE-2015-7175/CVE-2015-7176/CVE-2015-7177/
+ CVE-2015-7180
+ Vulnerabilities found through code inspection
+ * MFSA 2015-113/CVE-2015-7178/CVE-2015-7179 (bmo#1189860,
+ bmo#1190526) (Windows only)
+ Memory safety errors in libGLES in the ANGLE graphics library
+ * MFSA 2015-114 (bmo#1167498, bmo#1153672) (Windows only)
+ Information disclosure via the High Resolution Time API
+- rebased patches
+- removed obsolete patches
+ * mozilla-arm64-libjpeg-turbo.patch
+
+------------------------------------------------------------------
+Thu Aug 27 06:03:51 UTC 2015 - wr@rosenauer.org
+
+- update to Firefox 40.0.3 (bnc#943550)
+ * Disable the asynchronous plugin initialization (bmo#1198590)
+ * Fix a segmentation fault in the GStreamer support (bmo#1145230)
+ * Fix a regression with some Japanese fonts used in the <input>
+ field (bmo#1194055)
+ * On some sites, the selection in a select combox box using the
+ mouse could be broken (bmo#1194733)
+ security fixes
+ * MFSA 2015-94/CVE-2015-4497 (bmo#1164766, bmo#1175278)
+ Use-after-free when resizing canvas element during restyling
+ * MFSA 2015-95/CVE-2015-4498 (bmo#1042699)
+ Add-on notification bypass through data URLs
+
+-------------------------------------------------------------------
+Fri Aug 7 07:49:49 UTC 2015 - wr@rosenauer.org
+
+- update to Firefox 40.0 (bnc#940806)
+ * Added protection against unwanted software downloads
+ * Suggested Tiles show sites of interest, based on categories
+ from your recent browsing history
+ * Hello allows adding a link to conversations to provide context
+ on what the conversation will be about
+ * New style for add-on manager based on the in-content
+ preferences style
+ * Improved scrolling, graphics, and video playback performance
+ with off main thread compositing (GNU/Linux only)
+ * Graphic blocklist mechanism improved: Firefox version ranges
+ can be specified, limiting the number of devices blocked
+ security fixes:
+ * MFSA 2015-79/CVE-2015-4473/CVE-2015-4474
+ Miscellaneous memory safety hazards
+ * MFSA 2015-80/CVE-2015-4475 (bmo#1175396)
+ Out-of-bounds read with malformed MP3 file
+ * MFSA 2015-81/CVE-2015-4477 (bmo#1179484)
+ Use-after-free in MediaStream playback
+ * MFSA 2015-82/CVE-2015-4478 (bmo#1105914)
+ Redefinition of non-configurable JavaScript object properties
+ * MFSA 2015-83/CVE-2015-4479/CVE-2015-4480/CVE-2015-4493
+ Overflow issues in libstagefright
+ * MFSA 2015-84/CVE-2015-4481 (bmo1171518)
+ Arbitrary file overwriting through Mozilla Maintenance Service
+ with hard links (only affected Windows)
+ * MFSA 2015-85/CVE-2015-4482 (bmo#1184500)
+ Out-of-bounds write with Updater and malicious MAR file
+ (does not affect openSUSE RPM packages which do not ship the
+ updater)
+ * MFSA 2015-86/CVE-2015-4483 (bmo#1148732)
+ Feed protocol with POST bypasses mixed content protections
+ * MFSA 2015-87/CVE-2015-4484 (bmo#1171540)
+ Crash when using shared memory in JavaScript
+ * MFSA 2015-88/CVE-2015-4491 (bmo#1184009)
+ Heap overflow in gdk-pixbuf when scaling bitmap images
+ * MFSA 2015-89/CVE-2015-4485/CVE-2015-4486 (bmo#1177948, bmo#1178148)
+ Buffer overflows on Libvpx when decoding WebM video
+ * MFSA 2015-90/CVE-2015-4487/CVE-2015-4488/CVE-2015-4489
+ Vulnerabilities found through code inspection
+ * MFSA 2015-91/CVE-2015-4490 (bmo#1086999)
+ Mozilla Content Security Policy allows for asterisk wildcards
+ in violation of CSP specification
+ * MFSA 2015-92/CVE-2015-4492 (bmo#1185820)
+ Use-after-free in XMLHttpRequest with shared workers
+- added mozilla-no-stdcxx-check.patch
+- removed obsolete patches
+ * mozilla-add-glibcxx_use_cxx11_abi.patch
+ * firefox-multilocale-chrome.patch
+- rebased patches
+- requires version 40 of the branding package
+- removed browser/searchplugins/ location as it's not valid anymore
+
+-------------------------------------------------------------------
+Fri Aug 7 07:09:39 UTC 2015 - wr@rosenauer.org
+
+- security update to Firefox 39.0.3 (bnc#940918)
+ * MFSA 2015-78/CVE-2015-4495 (bmo#1179262, bmo#1178058)
+ Same origin violation and local file stealing via PDF reader
+
+-------------------------------------------------------------------
+Wed Jul 1 06:43:02 UTC 2015 - wr@rosenauer.org
+
+- update to Firefox 39.0 (bnc#935979)
+ * Share Hello URLs with social networks
+ * Support for 'switch' role in ARIA 1.1 (web accessibility)
+ * SafeBrowsing malware detection lookups enabled for downloads
+ (Mac OS X and Linux)
+ * Support for new Unicode 8.0 skin tone emoji
+ * Removed support for insecure SSLv3 for network communications
+ * Disable use of RC4 except for temporarily whitelisted hosts
+ * NPAPI Plug-in performance improved via asynchronous initialization
+ security fixes:
+ * MFSA 2015-59/CVE-2015-2724/CVE-2015-2725/CVE-2015-2726
+ Miscellaneous memory safety hazards
+ * MFSA 2015-60/CVE-2015-2727 (bmo#1163422)
+ Local files or privileged URLs in pages can be opened into new tabs
+ * MFSA 2015-61/CVE-2015-2728 (bmo#1142210)
+ Type confusion in Indexed Database Manager
+ * MFSA 2015-62/CVE-2015-2729 (bmo#1122218)
+ Out-of-bound read while computing an oscillator rendering range in Web Audio
+ * MFSA 2015-63/CVE-2015-2731 (bmo#1149891)
+ Use-after-free in Content Policy due to microtask execution error
+ * MFSA 2015-64/CVE-2015-2730 (bmo#1125025)
+ ECDSA signature validation fails to handle some signatures correctly
+ (this fix is shipped by NSS 3.19.1 externally)
+ * MFSA 2015-65/CVE-2015-2722/CVE-2015-2733 (bmo#1166924, bmo#1169867)
+ Use-after-free in workers while using XMLHttpRequest
+ * MFSA 2015-66/CVE-2015-2734/CVE-2015-2735/CVE-2015-2736/CVE-2015-2737
+ CVE-2015-2738/CVE-2015-2739/CVE-2015-2740
+ Vulnerabilities found through code inspection
+ * MFSA 2015-67/CVE-2015-2741 (bmo#1147497)
+ Key pinning is ignored when overridable errors are encountered
+ * MFSA 2015-68/CVE-2015-2742 (bmo#1138669)
+ OS X crash reports may contain entered key press information
+ (not relevant under Linux)
+ * MFSA 2015-69/CVE-2015-2743 (bmo#1163109)
+ Privilege escalation in PDF.js
+ * MFSA 2015-70/CVE-2015-4000 (bmo#1138554)
+ NSS accepts export-length DHE keys with regular DHE cipher suites
+ (this fix is shipped by NSS 3.19.1 externally)
+ * MFSA 2015-71/CVE-2015-2721 (bmo#1086145)
+ NSS incorrectly permits skipping of ServerKeyExchange
+ (this fix is shipped by NSS 3.19.1 externally)
+- dropped mozilla-prefer_plugin_pref.patch as this feature is
+ likely not worth maintaining further
+- rebased patches
+- require NSS 3.19.2
+
+-------------------------------------------------------------------
+Thu Jun 18 10:30:18 UTC 2015 - schwab@suse.de
+
+- mozilla-arm64-libjpeg-turbo.patch: fix libjpeg-turbo configuration
+
+-------------------------------------------------------------------
+Sun Jun 7 07:09:12 UTC 2015 - wr@rosenauer.org
+
+- update to Firefox 38.0.6
+ * fixes bmo#1171730 which is not really relevant to oS builds
+- fix KDE regression from 38.0.5 builds (bsc#933439)
+
+-------------------------------------------------------------------
+Sat May 23 21:13:49 UTC 2015 - wr@rosenauer.org
+
+- update to Firefox 38.0.5
+ * Keep track of articles and videos with Pocket
+ * Clean formatting for articles and blog posts with Reader View
+ * Share the active tab or window in a Hello conversation
+- add changes file as source for SRPM (bsc#932142)
+
+-------------------------------------------------------------------
+Fri May 15 10:40:19 UTC 2015 - normand@linux.vnet.ibm.com
+
+- add mozilla-add-glibcxx_use_cxx11_abi.patch grabbed from
+ https://bugzilla.mozilla.org/show_bug.cgi?id=1153109
+
+-------------------------------------------------------------------
+Fri May 15 07:37:46 UTC 2015 - wr@rosenauer.org
+
+- update to Firefox 38.0.1
+ stability and regression fixes
+ * Systems with first generation NVidia Optimus graphics cards
+ may crash on start-up
+ * Users who import cookies from Google Chrome can end up with
+ broken websites
+ * Large animated images may fail to play and may stop other
+ images from loading
+
+-------------------------------------------------------------------
+Sun May 10 07:07:49 UTC 2015 - wr@rosenauer.org
+
+- update to Firefox 38.0 (bnc#930622)
+ * New tab-based preferences
+ * Ruby annotation support
+ * more info: https://www.mozilla.org/en-US/firefox/38.0/releasenotes/
+ security fixes:
+ * MFSA 2015-46/CVE-2015-2708/CVE-2015-2709
+ Miscellaneous memory safety hazards
+ * MFSA 2015-47/VE-2015-0797 (bmo#1080995)
+ Buffer overflow parsing H.264 video with Linux Gstreamer
+ * MFSA 2015-48/CVE-2015-2710 (bmo#1149542)
+ Buffer overflow with SVG content and CSS
+ * MFSA 2015-49/CVE-2015-2711 (bmo#1113431)
+ Referrer policy ignored when links opened by middle-click and
+ context menu
+ * MFSA 2015-50/CVE-2015-2712 (bmo#1152280)
+ Out-of-bounds read and write in asm.js validation
+ * MFSA 2015-51/CVE-2015-2713 (bmo#1153478)
+ Use-after-free during text processing with vertical text enabled
+ * MFSA 2015-53/CVE-2015-2715 (bmo#988698)
+ Use-after-free due to Media Decoder Thread creation during shutdown
+ * MFSA 2015-54/CVE-2015-2716 (bmo#1140537)
+ Buffer overflow when parsing compressed XML
+ * MFSA 2015-55/CVE-2015-2717 (bmo#1154683)
+ Buffer overflow and out-of-bounds read while parsing MP4 video
+ metadata
+ * MFSA 2015-56/CVE-2015-2718 (bmo#1146724)
+ Untrusted site hosting trusted page can intercept webchannel
+ responses
+ * MFSA 2015-57/CVE-2011-3079 (bmo#1087565)
+ Privilege escalation through IPC channel messages
+- requires NSS 3.18.1
+- removed obsolete patches:
+ * mozilla-skia-bmo1136958.patch
+- remove gnomevfs build options as it is removed from sources
+- rebased patches
+
+-------------------------------------------------------------------
+Fri Apr 17 16:39:20 UTC 2015 - wr@rosenauer.org
+
+- update to Firefox 37.0.2 (bnc#928116)
+ * MFSA 2015-45/CVE-2015-2706 (bmo#1141081)
+ Memory corruption during failed plugin initialization
+
+-------------------------------------------------------------------
+Fri Apr 3 08:27:24 UTC 2015 - wr@rosenauer.org
+
+- update to Firefox 37.0.1 (bnc#926166)
+ * MFSA 2015-43/CVE-2015-0798 (bmo#1147597) (Android only)
+ Loading privileged content through Reader mode
+ * MFSA 2015-44/CVE-2015-0799 (bmo#1148328)
+ Certificate verification bypass through the HTTP/2 Alt-Svc header
+
+-------------------------------------------------------------------
+Sat Mar 28 09:46:48 UTC 2015 - wr@rosenauer.org
+
+- update to Firefox 37.0 (bnc#925368)
+ * Heartbeat user rating system
+ * Yandex set as default search provider for the Turkish locale
+ * Bing search now uses HTTPS for secure searching
+ * Improved protection against site impersonation via OneCRL
+ centralized certificate revocation
+ * Opportunistically encrypt HTTP traffic where the server supports
+ HTTP/2 AltSvc
+ * some more behaviour changes for TLS
+ security fixes:
+ * MFSA 2015-30/CVE-2015-0814/CVE-2015-0815
+ Miscellaneous memory safety hazards
+ * MFSA 2015-31/CVE-2015-0813 (bmo#1106596))
+ Use-after-free when using the Fluendo MP3 GStreamer plugin
+ * MFSA 2015-32/CVE-2015-0812 (bmo#1128126)
+ Add-on lightweight theme installation approval bypassed through
+ MITM attack
+ * MFSA 2015-33/CVE-2015-0816 (bmo#1144991)
+ resource:// documents can load privileged pages
+ * MFSA-2015-34/CVE-2015-0811 (bmo#1132468)
+ Out of bounds read in QCMS library
+ * MFSA-2015-35/CVE-2015-0810 (bmo#1125013)
+ Cursor clickjacking with flash and images (OS X only)
+ * MFSA-2015-36/CVE-2015-0808 (bmo#1109552)
+ Incorrect memory management for simple-type arrays in WebRTC
+ * MFSA-2015-37/CVE-2015-0807 (bmo#1111834)
+ CORS requests should not follow 30x redirections after preflight
+ * MFSA-2015-38/CVE-2015-0805/CVE-2015-0806 (bmo#1135511, bmo#1099437)
+ Memory corruption crashes in Off Main Thread Compositing
+ * MFSA-2015-39/CVE-2015-0803/CVE-2015-0804 (bmo#1134560)
+ Use-after-free due to type confusion flaws
+ * MFSA-2015-40/CVE-2015-0801 (bmo#1146339)
+ Same-origin bypass through anchor navigation
+ * MFSA-2015-41/CVE-2015-0800/CVE-2012-2808
+ PRNG weakness allows for DNS poisoning on Android (only)
+ * MFSA-2015-42/CVE-2015-0802 (bmo#1124898)
+ Windows can retain access to privileged content on navigation
+ to unprivileged pages
+- removed obsolete patches
+ * mozilla-bmo1088588.patch
+ * mozilla-bmo1108834.patch
+- requires NSPR 4.10.8
+
+-------------------------------------------------------------------
+Tue Mar 24 15:35:24 UTC 2015 - dvaleev@suse.com
+
+- Fix builds with skia on Power
+ mozilla-skia-be-le.patch (patch from #bmo1136958)
+ mozilla-bmo1108834.patch
+ mozilla-bmo1005535.patch
+
+-------------------------------------------------------------------
+Sat Mar 21 09:03:12 UTC 2015 - wr@rosenauer.org
+
+- update to Firefox 36.0.4 (bnc#923534)
+ * MFSA 2015-28/CVE-2015-0818 (bmo#1144988)
+ Privilege escalation through SVG navigation
+ * MFSA 2015-29/CVE-2015-0817 (bmo#1145255)
+ Code execution through incorrect JavaScript bounds checking
+ elimination
+
+-------------------------------------------------------------------
+Fri Mar 20 15:02:33 UTC 2015 - dimstar@opensuse.org
+
+- Copy the icons to /usr/share/icons instead of symlinking them:
+ in preparation for containerized apps (e.g. xdg-app) as well as
+ AppStream metadata extraction, there are a couple locations that
+ need to be real files for system integration (.desktop files,
+ icons, mime-type info).
+
+-------------------------------------------------------------------
+Sat Mar 7 07:40:56 UTC 2015 - wr@rosenauer.org
+
+- update to Firefox 36.0.1
+ Bugfixes:
+ * Disable the usage of the ANY DNS query type (bmo#1093983)
+ * Hello may become inactive until restart (bmo#1137469)
+ * Print preferences may not be preserved (bmo#1136855)
+ * Hello contact tabs may not be visible (bmo#1137141)
+ * Accept hostnames that include an underscore character ("_")
+ (bmo#1136616)
+ * WebGL may use significant memory with Canvas2d (bmo#1137251)
+ * Option -remote has been restored (bmo#1080319)
+- added mozilla-skia-bmo1136958.patch to fix build issues for
+ ARM and PPC
+
+-------------------------------------------------------------------
+Fri Feb 20 22:53:39 UTC 2015 - wr@rosenauer.org
+
+- update to Firefox 36.0 (bnc#917597)
+ * mozilla-xremote-client was removed
+ * added libclearkey.so media plugin
+ * Pinned tiles on the new tab page can be synced
+ * Support for the full HTTP/2 protocol. HTTP/2 enables a faster,
+ more scalable, and more responsive web.
+ * Locale added: Uzbek (uz)
+ security fixes:
+ * MFSA 2015-11/CVE-2015-0835/CVE-2015-0836
+ Miscellaneous memory safety hazards
+ * MFSA 2015-12/CVE-2015-0833 (bmo#945192)
+ Invoking Mozilla updater will load locally stored DLL files
+ (Windows only)
+ * MFSA 2015-13/CVE-2015-0832 (bmo#1065909)
+ Appended period to hostnames can bypass HPKP and HSTS protections
+ * MFSA 2015-14/CVE-2015-0830 (bmo#1110488)
+ Malicious WebGL content crash when writing strings
+ * MFSA 2015-15/CVE-2015-0834 (bmo#1098314)
+ TLS TURN and STUN connections silently fail to simple TCP connections
+ * MFSA 2015-16/CVE-2015-0831 (bmo#1130514)
+ Use-after-free in IndexedDB
+ * MFSA 2015-17/CVE-2015-0829 (bmo#1128939)
+ Buffer overflow in libstagefright during MP4 video playback
+ * MFSA 2015-18/CVE-2015-0828 (bmo#1030667, bmo#988675)
+ Double-free when using non-default memory allocators with a
+ zero-length XHR
+ * MFSA 2015-19/CVE-2015-0827 (bmo#1117304)
+ Out-of-bounds read and write while rendering SVG content
+ * MFSA 2015-20/CVE-2015-0826 (bmo#1092363)
+ Buffer overflow during CSS restyling
+ * MFSA 2015-21/CVE-2015-0825 (bmo#1092370)
+ Buffer underflow during MP3 playback
+ * MFSA 2015-22/CVE-2015-0824 (bmo#1095925)
+ Crash using DrawTarget in Cairo graphics library
+ * MFSA 2015-23/CVE-2015-0823 (bmo#1098497)
+ Use-after-free in Developer Console date with OpenType Sanitiser
+ * MFSA 2015-24/CVE-2015-0822 (bmo#1110557)
+ Reading of local files through manipulation of form autocomplete
+ * MFSA 2015-25/CVE-2015-0821 (bmo#1111960)
+ Local files or privileged URLs in pages can be opened into new tabs
+ * MFSA 2015-26/CVE-2015-0819 (bmo#1079554)
+ UI Tour whitelisted sites in background tab can spoof foreground
+ tabs
+ * MFSA 2015-27CVE-2015-0820 (bmo#1125398)
+ Caja Compiler JavaScript sandbox bypass
+- rebased patches
+- requires NSS 3.17.4
+
+-------------------------------------------------------------------
+Sat Jan 31 18:37:38 UTC 2015 - wr@rosenauer.org
+
+- update to Firefox 35.0.1
+ * With the Enhanced Steam extension, Firefox could crash (bmo#1123732)
+ * Kerberos authentication did not work with alias (bmo#1108971)
+ * SVG / CSS animation had a regression causing rendering issues on
+ websites like openstreemap.org (bmo#1083079)
+ * On Godaddy webmail, Firefox could crash (bmo#1113121)
+ * document.baseURI did not get updated to document.location after
+ base tag was removed from DOM for site with a CSP (bmo#1121857)
+ * With a Right-to-left (RTL) version of Firefox, the text selection
+ could be broken (bmo#1104036)
+ * CSP had a change in behavior with regard to case sensitivity
+ resources loading (bmo#1122445)
+
+-------------------------------------------------------------------
+Sat Jan 10 18:36:37 UTC 2015 - wr@rosenauer.org
+
+- update to Firefox 35.0 (bnc#910669)
+ notable features:
+ * Firefox Hello with new rooms-based conversations model
+ * Implemented HTTP Public Key Pinning Extension (for enhanced
+ authentication of encrypted connections)
+ security fixes:
+ * MFSA 2015-01/CVE-2014-8634/CVE-2014-8635
+ Miscellaneous memory safety hazards
+ * MFSA 2015-02/CVE-2014-8637 (bmo#1094536)
+ Uninitialized memory use during bitmap rendering
+ * MFSA 2015-03/CVE-2014-8638 (bmo#1080987)
+ sendBeacon requests lack an Origin header
+ * MFSA 2015-04/CVE-2014-8639 (bmo#1095859)
+ Cookie injection through Proxy Authenticate responses
+ * MFSA 2015-05/CVE-2014-8640 (bmo#1100409)
+ Read of uninitialized memory in Web Audio
+ * MFSA 2015-06/CVE-2014-8641 (bmo#1108455)
+ Read-after-free in WebRTC
+ * MFSA 2015-07/CVE-2014-8643 (bmo#1114170) (Windows-only)
+ Gecko Media Plugin sandbox escape
+ * MFSA 2015-08/CVE-2014-8642 (bmo#1079658)
+ Delegated OCSP responder certificates failure with
+ id-pkix-ocsp-nocheck extension
+ * MFSA 2015-09/CVE-2014-8636 (bmo#987794)
+ XrayWrapper bypass through DOM objects
+- rebased patches
+- dropped explicit support for everything older than 12.3
+ (including SLES11)
+ * merge firefox-kde.patch and firefox-kde-114.patch
+ * dropped mozilla-sle11.patch
+- reworked specfile to build conditionally based on release channel
+ either Firefox or Firefox Developer Edition
+- added mozilla-openaes-decl.patch to fix implicit declarations
+- obsolete tracker-miner-firefox < 0.15 because it leads to startup
+ crashes (bnc#908892)
+
+-------------------------------------------------------------------
+Sat Dec 13 22:13:00 UTC 2014 - Led <ledest@gmail.com>
+
+- fix bashism in mozilla.sh script
+
+-------------------------------------------------------------------
+Sat Nov 29 21:23:03 UTC 2014 - wr@rosenauer.org
+
+- update to Firefox 34.0.5 (bnc#908009)
+ * Default search engine changed to Yahoo! for North America
+ * Default search engine changed to Yandex for Belarusian, Kazakh,
+ and Russian locales
+ * Improved search bar (en-US only)
+ * Firefox Hello real-time communication client
+ * Easily switch themes/personas directly in the Customizing mode
+ * Implementation of HTTP/2 (draft14) and ALPN
+ * Disabled SSLv3
+ * MFSA 2014-83/CVE-2014-1587/CVE-2014-1588
+ Miscellaneous memory safety hazards
+ * MFSA 2014-84/CVE-2014-1589 (bmo#1043787)
+ XBL bindings accessible via improper CSS declarations
+ * MFSA 2014-85/CVE-2014-1590 (bmo#1087633)
+ XMLHttpRequest crashes with some input streams
+ * MFSA 2014-86/CVE-2014-1591 (bmo#1069762)
+ CSP leaks redirect data via violation reports
+ * MFSA 2014-87/CVE-2014-1592 (bmo#1088635)
+ Use-after-free during HTML5 parsing
+ * MFSA 2014-88/CVE-2014-1593 (bmo#1085175)
+ Buffer overflow while parsing media content
+ * MFSA 2014-89/CVE-2014-1594 (bmo#1074280)
+ Bad casting from the BasicThebesLayer to BasicContainerLayer
+- rebased patches
+- limit linker memory usage for %ix86
+- rebased patches
+
+-------------------------------------------------------------------
+Fri Nov 7 20:14:32 UTC 2014 - wr@rosenauer.org
+
+- update to Firefox 33.1
+ * Adding DuckDuckGo as a search option (upstream)
+ * Forget Button added
+ * Enhanced Tiles
+ * Privacy tour introduced
+- fix typo in GStreamer Recommends
+
+-------------------------------------------------------------------
+Tue Nov 4 18:00:35 UTC 2014 - guillaume@opensuse.org
+
+- Disable elf-hack for aarch64
+- Enable EGL for aarch64
+- Limit RAM usage during link for %arm
+- Fix _constraints for ARM
+
+-------------------------------------------------------------------
+Mon Nov 3 11:36:04 UTC 2014 - dmueller@suse.com
+
+- use proper macros for ARM
+
+-------------------------------------------------------------------
+Mon Nov 3 11:26:23 UTC 2014 - josua.mayer97@gmail.com
+
+- use '--disable-optimize' not only on 32-bit x86, but on 32-bit arm too
+ to fix compiling.
+- pass '-Wl,--no-keep-memory' to linker to reduce required memory during
+ linking on arm.
+
+-------------------------------------------------------------------
+Thu Oct 30 11:31:05 UTC 2014 - wr@rosenauer.org
+
+- update to Firefox 33.0.2
+ * Fix a startup crash with some combination of hardware and drivers
+ 33.0.1
+ * Firefox displays a black screen at start-up with certain
+ graphics drivers
+- adjusted _constraints for ARM
+
+-------------------------------------------------------------------
+Tue Oct 28 15:23:09 UTC 2014 - josua.mayer97@gmail.com
+
+- added mozilla-bmo1088588.patch to fix build with EGL (bmo#1088588)
+
+-------------------------------------------------------------------
+Sat Oct 25 08:45:43 UTC 2014 - wr@rosenauer.org
+
+- define /usr/share/myspell as additional dictionary location
+ and remove add-plugins.sh finally (bnc#900639)
+
+-------------------------------------------------------------------
+Sun Oct 19 12:59:28 UTC 2014 - vindex17@outlook.it
+
+- use Firefox default optimization flags instead of -Os
+- specfile cleanup
+
+-------------------------------------------------------------------
+Wed Oct 15 08:05:33 UTC 2014 - wr@rosenauer.org
+
+- fix build for all ppc by not enabling elf-hack
+ (bnc#901213)
+
+-------------------------------------------------------------------
+Sat Oct 11 08:48:24 UTC 2014 - wr@rosenauer.org
+
+- update to Firefox 33.0 (bnc#900941)
+ New features:
+ * OpenH264 support (sandboxed)
+ * Enhanced Tiles
+ * Improved search experience through the location bar
+ * Slimmer and faster JavaScript strings
+ * New CSP (Content Security Policy) backend
+ * Support for connecting to HTTP proxy over HTTPS
+ * Improved reliability of the session restoration
+ * Proprietary window.crypto properties/functions removed
+ Security:
+ * MFSA 2014-74/CVE-2014-1574/CVE-2014-1575
+ Miscellaneous memory safety hazards
+ * MFSA 2014-75/CVE-2014-1576 (bmo#1041512)
+ Buffer overflow during CSS manipulation
+ * MFSA 2014-76/CVE-2014-1577 (bmo#1012609)
+ Web Audio memory corruption issues with custom waveforms
+ * MFSA 2014-77/CVE-2014-1578 (bmo#1063327)
+ Out-of-bounds write with WebM video
+ * MFSA 2014-78/CVE-2014-1580 (bmo#1063733)
+ Further uninitialized memory use during GIF rendering
+ * MFSA 2014-79/CVE-2014-1581 (bmo#1068218)
+ Use-after-free interacting with text directionality
+ * MFSA 2014-80/CVE-2014-1582/CVE-2014-1584 (bmo#1049095, bmo#1066190)
+ Key pinning bypasses
+ * MFSA 2014-81/CVE-2014-1585/CVE-2014-1586 (bmo#1062876, bmo#1062981)
+ Inconsistent video sharing within iframe
+ * MFSA 2014-82/CVE-2014-1583 (bmo#1015540)
+ Accessing cross-origin objects via the Alarms API
+ (only relevant for installed web apps)
+- requires NSPR 4.10.7
+- requires NSS 3.17.1
+- removed obsolete patches:
+ * mozilla-ppc.patch
+ * mozilla-libproxy-compat.patch
+- added basic appdata information
+
+-------------------------------------------------------------------
+Sat Sep 20 13:33:51 UTC 2014 - wr@rosenauer.org
+
+- update to Firefox 32.0.2
+ * just a version bump for our builds
+ * fixed the in application update process for certain environments
+ (in application update is not enabled in openSUSE and Linux
+ is unaffected in any case)
+- build with --disable-optimize for 13.1 and above for i586 to
+ workaround miscompilations (bnc#896624)
+- use some more build flags to align with upstream
+
+-------------------------------------------------------------------
+Sat Sep 13 16:58:16 UTC 2014 - wr@rosenauer.org
+
+- update to Firefox 32.0.1
+ * fixed stability issues for computers with multiple graphics cards
+ * mixed content icon may be incorrectly displayed instead of lock
+ icon for SSL sites in 32.0 (
+ * WebRTC: setRemoteDescription() silently fails if no success
+ callback is specified (bmo#1063971)
+
+-------------------------------------------------------------------
+Sun Aug 31 07:44:54 UTC 2014 - wr@rosenauer.org
+
+- update to Firefox 32.0 (bnc#894370)
+ * MFSA 2014-67/CVE-2014-1553/CVE-2014-1554/CVE-2014-1562
+ Miscellaneous memory safety hazards
+ * MFSA 2014-68/CVE-2014-1563 (bmo#1018524)
+ Use-after-free during DOM interactions with SVG
+ * MFSA 2014-69/CVE-2014-1564 (bmo#1045977)
+ Uninitialized memory use during GIF rendering
+ * MFSA 2014-70/CVE-2014-1565 (bmo#1047831)
+ Out-of-bounds read in Web Audio audio timeline
+ * MFSA 2014-72/CVE-2014-1567 (bmo#1037641)
+ Use-after-free setting text directionality
+- rebased patches
+- requires NSS 3.16.4
+- removed upstreamed patch
+ * mozilla-aarch64-bmo-810631.patch
+
+-------------------------------------------------------------------
+Wed Aug 20 13:50:58 CEST 2014 - behlert@suse.de
+
+- adapted _constraints, used more than 3900MB on s390x during
+ last build
+
+-------------------------------------------------------------------
+Sun Jul 20 18:11:44 UTC 2014 - wr@rosenauer.org
+
+- update to Firefox 31.0 (bnc#887746)
+ * MFSA 2014-56/CVE-2014-1547/CVE-2014-1548
+ Miscellaneous memory safety hazards
+ * MFSA 2014-57/CVE-2014-1549 (bmo#1020205)
+ Buffer overflow during Web Audio buffering for playback
+ * MFSA 2014-58/CVE-2014-1550 (bmo#1020411)
+ Use-after-free in Web Audio due to incorrect control message ordering
+ * MFSA 2014-60/CVE-2014-1561 (bmo#1000514, bmo#910375)
+ Toolbar dialog customization event spoofing
+ * MFSA 2014-61/CVE-2014-1555 (bmo#1023121)
+ Use-after-free with FireOnStateChange event
+ * MFSA 2014-62/CVE-2014-1556 (bmo#1028891)
+ Exploitable WebGL crash with Cesium JavaScript library
+ * MFSA 2014-63/CVE-2014-1544 (bmo#963150)
+ Use-after-free while when manipulating certificates in the trusted cache
+ (solved with NSS 3.16.2 requirement)
+ * MFSA 2014-64/CVE-2014-1557 (bmo#913805)
+ Crash in Skia library when scaling high quality images
+ * MFSA 2014-65/CVE-2014-1558/CVE-2014-1559/CVE-2014-1560
+ (bmo#1015973, bmo#1026022, bmo#997795)
+ Certificate parsing broken by non-standard character encoding
+ * MFSA 2014-66/CVE-2014-1552 (bmo#985135)
+ IFRAME sandbox same-origin access through redirect
+- use EGL on ARM
+- rebased patches
+- requires NSS 3.16.2
+- requires python-devel (not only python)
+
+-------------------------------------------------------------------
+Mon Jun 9 08:28:17 UTC 2014 - wr@rosenauer.org
+
+- update to Firefox 30.0 (bnc#881874)
+ * MFSA 2014-48/CVE-2014-1533/CVE-2014-1534
+ (bmo#921622, bmo#967354, bmo#969517, bmo#969549, bmo#973874,
+ bmo#978652, bmo#978811, bmo#988719, bmo#990868, bmo#991981,
+ bmo#992274, bmo#994907, bmo#995679, bmo#995816, bmo#995817,
+ bmo#996536, bmo#996715, bmo#999651, bmo#1000598,
+ bmo#1000960, bmo#1002340, bmo#1005578, bmo#1007223,
+ bmo#1009952, bmo#1011007)
+ Miscellaneous memory safety hazards (rv:30.0)
+ * MFSA 2014-49/CVE-2014-1536/CVE-2014-1537/CVE-2014-1538
+ (bmo#989994, bmo#999274, bmo#1005584)
+ Use-after-free and out of bounds issues found using Address
+ Sanitizer
+ * MFSA 2014-50/CVE-2014-1539 (bmo#995603)
+ Clickjacking through cursor invisability after Flash interaction
+ * MFSA 2014-51/CVE-2014-1540 (bmo#978862)
+ Use-after-free in Event Listener Manager
+ * MFSA 2014-52/CVE-2014-1541 (bmo#1000185)
+ Use-after-free with SMIL Animation Controller
+ * MFSA 2014-53/CVE-2014-1542 (bmo#991533)
+ Buffer overflow in Web Audio Speex resampler
+ * MFSA 2014-54/CVE-2014-1543 (bmo#1011859)
+ Buffer overflow in Gamepad API
+ * MFSA 2014-55/CVE-2014-1545 (bmo#1018783)
+ Out of bounds write in NSPR
+- rebased patches
+- removed obsolete patches
+ * firefox-browser-css.patch
+ * mozilla-aarch64-bmo-962488.patch
+ * mozilla-aarch64-bmo-963023.patch
+ * mozilla-aarch64-bmo-963024.patch
+ * mozilla-aarch64-bmo-963027.patch
+ * mozilla-ppc64-xpcom.patch
+ * mozilla-ppc64le-javascript.patch
+ * mozilla-ppc64le-libffi.patch
+ * mozilla-ppc64le-mfbt.patch
+ * mozilla-ppc64le-webrtc.patch
+ * mozilla-ppc64le-xpcom.patch
+ * mozilla-ppc64le-build.patch
+- requires NSPR 4.10.6
+- enabled GStreamer 1.0 usage for 13.2 and above
+
+-------------------------------------------------------------------
+Sat May 10 06:09:37 UTC 2014 - wr@rosenauer.org
+
+- update to Firefox 29.0.1
+ * Seer disabled by default (bmo#1005958)
+ * Session Restore failed with a corrupted sessionstore.js file
+ (bmo#1001167)
+ * pdf.js printing white page (bmo#1003707, bnc#876833)
+- general.useragent.locale gets overwritten with en-US while it
+ should be using the active langpack's setting
+
+-------------------------------------------------------------------
+Sat Apr 26 12:18:07 UTC 2014 - wr@rosenauer.org
+
+- update to Firefox 29.0 (bnc#875378)
+ * MFSA 2014-34/CVE-2014-1518/CVE-2014-1519
+ Miscellaneous memory safety hazards
+ * MFSA 2014-36/CVE-2014-1522 (bmo#995289)
+ Web Audio memory corruption issues
+ * MFSA 2014-37/CVE-2014-1523 (bmo#969226)
+ Out of bounds read while decoding JPG images
+ * MFSA 2014-38/CVE-2014-1524 (bmo#989183)
+ Buffer overflow when using non-XBL object as XBL
+ * MFSA 2014-39/CVE-2014-1525 (bmo#989210)
+ Use-after-free in the Text Track Manager for HTML video
+ * MFSA 2014-41/CVE-2014-1528 (bmo#963962)
+ Out-of-bounds write in Cairo
+ * MFSA 2014-42/CVE-2014-1529 (bmo#987003)
+ Privilege escalation through Web Notification API
+ * MFSA 2014-43/CVE-2014-1530 (bmo#895557)
+ Cross-site scripting (XSS) using history navigations
+ * MFSA 2014-44/CVE-2014-1531 (bmo#987140)
+ Use-after-free in imgLoader while resizing images
+ * MFSA 2014-45/CVE-2014-1492 (bmo#903885)
+ Incorrect IDNA domain name matching for wildcard certificates
+ (fixed by NSS 3.16)
+ * MFSA 2014-46/CVE-2014-1532 (bmo#966006)
+ Use-after-free in nsHostResolver
+ * MFSA 2014-47/CVE-2014-1526 (bmo#988106)
+ Debugger can bypass XrayWrappers with JavaScript
+- rebased patches
+- removed obsolete patches
+ * firefox-browser-css.patch
+ * mozilla-aarch64-599882cfb998.diff
+ * mozilla-aarch64-bmo-963028.patch
+ * mozilla-aarch64-bmo-963029.patch
+ * mozilla-aarch64-bmo-963030.patch
+ * mozilla-aarch64-bmo-963031.patch
+- requires NSS 3.16
+- added mozilla-icu-strncat.patch to fix post build checks
+
+-------------------------------------------------------------------
+Mon Apr 7 15:34:31 UTC 2014 - dmueller@suse.com
+
+- add mozilla-aarch64-599882cfb998.patch,
+ mozilla-aarch64-bmo-810631.patch,
+ mozilla-aarch64-bmo-962488.patch,
+ mozilla-aarch64-bmo-963030.patch,
+ mozilla-aarch64-bmo-963027.patch,
+ mozilla-aarch64-bmo-963028.patch,
+ mozilla-aarch64-bmo-963029.patch,
+ mozilla-aarch64-bmo-963023.patch,
+ mozilla-aarch64-bmo-963024.patch,
+ mozilla-aarch64-bmo-963031.patch: AArch64 porting
+
+-------------------------------------------------------------------
+Mon Mar 24 16:18:44 UTC 2014 - dvaleev@suse.com
+
+- Add patch for bmo#973977
+ * mozilla-ppc64-xpcom.patch
+
+-------------------------------------------------------------------
+Mon Mar 24 14:29:12 UTC 2014 - dvaleev@suse.com
+
+- Refresh mozilla-ppc64le-xpcom.patch patch
+
+-------------------------------------------------------------------
+Fri Mar 21 19:01:42 UTC 2014 - dvaleev@suse.com
+
+- Adapt mozilla-ppc64le-xpcom.patch to Mozilla > 24.0 build system
+
+-------------------------------------------------------------------
+Sun Mar 16 13:39:15 UTC 2014 - wr@rosenauer.org
+
+- update to Firefox 28.0 (bnc#868603)
+ * MFSA 2014-15/CVE-2014-1493/CVE-2014-1494
+ Miscellaneous memory safety hazards
+ * MFSA 2014-17/CVE-2014-1497 (bmo#966311)
+ Out of bounds read during WAV file decoding
+ * MFSA 2014-18/CVE-2014-1498 (bmo#935618)
+ crypto.generateCRMFRequest does not validate type of key
+ * MFSA 2014-19/CVE-2014-1499 (bmo#961512)
+ Spoofing attack on WebRTC permission prompt
+ * MFSA 2014-20/CVE-2014-1500 (bmo#956524)
+ onbeforeunload and Javascript navigation DOS
+ * MFSA 2014-22/CVE-2014-1502 (bmo#972622)
+ WebGL content injection from one domain to rendering in another
+ * MFSA 2014-23/CVE-2014-1504 (bmo#911547)
+ Content Security Policy for data: documents not preserved by
+ session restore
+ * MFSA 2014-26/CVE-2014-1508 (bmo#963198)
+ Information disclosure through polygon rendering in MathML
+ * MFSA 2014-27/CVE-2014-1509 (bmo#966021)
+ Memory corruption in Cairo during PDF font rendering
+ * MFSA 2014-28/CVE-2014-1505 (bmo#941887)
+ SVG filters information disclosure through feDisplacementMap
+ * MFSA 2014-29/CVE-2014-1510/CVE-2014-1511 (bmo#982906, bmo#982909)
+ Privilege escalation using WebIDL-implemented APIs
+ * MFSA 2014-30/CVE-2014-1512 (bmo#982957)
+ Use-after-free in TypeObject
+ * MFSA 2014-31/CVE-2014-1513 (bmo#982974)
+ Out-of-bounds read/write through neutering ArrayBuffer objects
+ * MFSA 2014-32/CVE-2014-1514 (bmo#983344)
+ Out-of-bounds write through TypedArrayObject after neutering
+- requires NSPR 4.10.3 and NSS 3.15.5
+- new build dependency (and recommends):
+ * libpulse
+- update of PowerPC 64 patches (bmo#976648) (pcerny@suse.com)
+- rebased patches
+
+-------------------------------------------------------------------
+Mon Feb 17 11:59:28 UTC 2014 - wr@rosenauer.org
+
+- update to Firefox 27.0.1
+ * Fixed stability issues with Greasemonkey and other JS that used
+ ClearTimeoutOrInterval
+ * JS math correctness issue (bmo#941381)
+- incorporate Google API key for geolocation (bnc#864170)
+- updated list of "other" locales in RPM requirements
+
+-------------------------------------------------------------------
+Tue Jan 28 15:45:41 UTC 2014 - wr@rosenauer.org
+
+- update to Firefox 27.0 (bnc#861847)
+ * MFSA 2014-01/CVE-2014-1477/CVE-2014-1478
+ Miscellaneous memory safety hazards (rv:27.0 / rv:24.3)
+ * MFSA 2014-02/CVE-2014-1479 (bmo#911864)
+ Clone protected content with XBL scopes
+ * MFSA 2014-03/CVE-2014-1480 (bmo#916726)
+ UI selection timeout missing on download prompts
+ * MFSA 2014-04/CVE-2014-1482 (bmo#943803)
+ Incorrect use of discarded images by RasterImage
+ * MFSA 2014-05/CVE-2014-1483 (bmo#950427)
+ Information disclosure with *FromPoint on iframes
+ * MFSA 2014-06/CVE-2014-1484 (bmo#953993)
+ Profile path leaks to Android system log
+ * MFSA 2014-07/CVE-2014-1485 (bmo#910139)
+ XSLT stylesheets treated as styles in Content Security Policy
+ * MFSA 2014-08/CVE-2014-1486 (bmo#942164)
+ Use-after-free with imgRequestProxy and image proccessing
+ * MFSA 2014-09/CVE-2014-1487 (bmo#947592)
+ Cross-origin information leak through web workers
+ * MFSA 2014-10/CVE-2014-1489 (bmo#959531)
+ Firefox default start page UI content invokable by script
+ * MFSA 2014-11/CVE-2014-1488 (bmo#950604)
+ Crash when using web workers with asm.js
+ * MFSA 2014-12/CVE-2014-1490/CVE-2014-1491
+ (bmo#934545, bmo#930874, bmo#930857)
+ NSS ticket handling issues
+ * MFSA 2014-13/CVE-2014-1481(bmo#936056)
+ Inconsistent JavaScript handling of access to Window objects
+- requires NSS 3.15.4 or higher
+- rebased/reworked patches
+- removed obsolete mozilla-bug929439.patch
+
+-------------------------------------------------------------------
+Thu Dec 12 21:19:54 UTC 2013 - uweigand@de.ibm.com
+
+- Add support for powerpc64le-linux.
+ * mozilla-ppc64le.patch: general support
+ * mozilla-libffi-ppc64le.patch: libffi backport
+ * mozilla-xpcom-ppc64le.patch: port xpcom
+- Add build fix from mainline.
+ * mozilla-bug929439.patch
+
+-------------------------------------------------------------------
+Sun Dec 8 20:26:23 UTC 2013 - wr@rosenauer.org
+
+- update to Firefox 26.0 (bnc#854367, bnc#854370)
+ * rebased patches
+ * requires NSPR 4.10.2 and NSS 3.15.3.1
+ * MFSA 2013-104/CVE-2013-5609/CVE-2013-5610
+ Miscellaneous memory safety hazards
+ * MFSA 2013-105/CVE-2013-5611 (bmo#771294)
+ Application Installation doorhanger persists on navigation
+ * MFSA 2013-106/CVE-2013-5612 (bmo#871161)
+ Character encoding cross-origin XSS attack
+ * MFSA 2013-107/CVE-2013-5614 (bmo#886262)
+ Sandbox restrictions not applied to nested object elements
+ * MFSA 2013-108/CVE-2013-5616 (bmo#938341)
+ Use-after-free in event listeners
+ * MFSA 2013-109/CVE-2013-5618 (bmo#926361)
+ Use-after-free during Table Editing
+ * MFSA 2013-110/CVE-2013-5619 (bmo#917841)
+ Potential overflow in JavaScript binary search algorithms
+ * MFSA 2013-111/CVE-2013-6671 (bmo#930281)
+ Segmentation violation when replacing ordered list elements
+ * MFSA 2013-112/CVE-2013-6672 (bmo#894736)
+ Linux clipboard information disclosure though selection paste
+ * MFSA 2013-113/CVE-2013-6673 (bmo#970380)
+ Trust settings for built-in roots ignored during EV certificate
+ validation
+ * MFSA 2013-114/CVE-2013-5613 (bmo#930381, bmo#932449)
+ Use-after-free in synthetic mouse movement
+ * MFSA 2013-115/CVE-2013-5615 (bmo#929261)
+ GetElementIC typed array stubs can be generated outside observed
+ typesets
+ * MFSA 2013-116/CVE-2013-6629/CVE-2013-6630 (bmo#891693)
+ JPEG information leak
+ * MFSA 2013-117 (bmo#946351)
+ Mis-issued ANSSI/DCSSI certificate
+ (fixed via NSS 3.15.3.1)
+- removed gecko.js preference file as GStreamer is enabled by
+ default now
+
+-------------------------------------------------------------------
+Thu Oct 24 18:16:19 UTC 2013 - wr@rosenauer.org
+
+- update to Firefox 25.0 (bnc#847708)
+ * rebased patches
+ * requires NSS 3.15.2 or above
+ * MFSA 2013-93/CVE-2013-5590/CVE-2013-5591/CVE-2013-5592
+ Miscellaneous memory safety hazards
+ * MFSA 2013-94/CVE-2013-5593 (bmo#868327)
+ Spoofing addressbar through SELECT element
+ * MFSA 2013-95/CVE-2013-5604 (bmo#914017)
+ Access violation with XSLT and uninitialized data
+ * MFSA 2013-96/CVE-2013-5595 (bmo#916580)
+ Improperly initialized memory and overflows in some JavaScript
+ functions
+ * MFSA 2013-97/CVE-2013-5596 (bmo#910881)
+ Writing to cycle collected object during image decoding
+ * MFSA 2013-98/CVE-2013-5597 (bmo#918864)
+ Use-after-free when updating offline cache
+ * MFSA 2013-99/CVE-2013-5598 (bmo#920515)
+ Security bypass of PDF.js checks using iframes
+ * MFSA 2013-100/CVE-2013-5599/CVE-2013-5600/CVE-2013-5601
+ (bmo#915210, bmo#915576, bmo#916685)
+ Miscellaneous use-after-free issues found through ASAN fuzzing
+ * MFSA 2013-101/CVE-2013-5602 (bmo#897678)
+ Memory corruption in workers
+ * MFSA 2013-102/CVE-2013-5603 (bmo#916404)
+ Use-after-free in HTML document templates
+
+-------------------------------------------------------------------
+Tue Sep 24 07:31:30 UTC 2013 - wr@rosenauer.org
+
+- as GStreamer is not automatically required anymore but loaded
+ dynamically if available, require it explicitely
+- recommend optional GStreamer plugins for comprehensive media
+ support
+
+-------------------------------------------------------------------
+Mon Sep 16 11:59:18 UTC 2013 - lnussel@suse.de
+
+- move greek to the translations-common package (bnc#840551)
+
+-------------------------------------------------------------------
+Sat Sep 14 14:39:58 UTC 2013 - wr@rosenauer.org
+
+- update to Firefox 24.0 (bnc#840485)
+ * MFSA 2013-76/CVE-2013-1718/CVE-2013-1719
+ Miscellaneous memory safety hazards
+ * MFSA 2013-77/CVE-2013-1720 (bmo#888820)
+ Improper state in HTML5 Tree Builder with templates
+ * MFSA 2013-78/CVE-2013-1721 (bmo#890277)
+ Integer overflow in ANGLE library
+ * MFSA 2013-79/CVE-2013-1722 (bmo#893308)
+ Use-after-free in Animation Manager during stylesheet cloning
+ * MFSA 2013-80/CVE-2013-1723 (bmo#891292)
+ NativeKey continues handling key messages after widget is destroyed
+ * MFSA 2013-81/CVE-2013-1724 (bmo#894137)
+ Use-after-free with select element
+ * MFSA 2013-82/CVE-2013-1725 (bmo#876762)
+ Calling scope for new Javascript objects can lead to memory corruption
+ * MFSA 2013-85/CVE-2013-1728 (bmo#883686)
+ Uninitialized data in IonMonkey
+ * MFSA 2013-88/CVE-2013-1730 (bmo#851353)
+ Compartment mismatch re-attaching XBL-backed nodes
+ * MFSA 2013-89/CVE-2013-1732 (bmo#883514)
+ Buffer overflow with multi-column, lists, and floats
+ * MFSA 2013-90/CVE-2013-1735/CVE-2013-1736 (bmo#898871, bmo#906301)
+ Memory corruption involving scrolling
+ * MFSA 2013-91/CVE-2013-1737 (bmo#907727)
+ User-defined properties on DOM proxies get the wrong "this" object
+ * MFSA 2013-92/CVE-2013-1738 (bmo#887334, bmo#882897)
+ GC hazard with default compartments and frame chain restoration
+- enable gstreamer explicitely via pref (gecko.js)
+- require NSS 3.15.1
+
+-------------------------------------------------------------------
+Mon Aug 26 07:35:36 UTC 2013 - wr@rosenauer.org
+
+- update to Firefox 23.0.1
+ * Audio static/"burble"/breakup in Firefox to Firefox WebRTC calls
+ (bmo#901527)
+
+-------------------------------------------------------------------
+Sun Aug 4 18:30:11 UTC 2013 - wr@rosenauer.org
+
+- update to Firefox 23.0 (bnc#833389)
+ * MFSA 2013-63/CVE-2013-1701/CVE-2013-1702
+ Miscellaneous memory safety hazards
+ * MFSA 2013-64/CVE-2013-1704 (bmo#883313)
+ Use after free mutating DOM during SetBody
+ * MFSA 2013-65/CVE-2013-1705 (bmo#882865)
+ Buffer underflow when generating CRMF requests
+ * MFSA 2013-67/CVE-2013-1708 (bmo#879924)
+ Crash during WAV audio file decoding
+ * MFSA 2013-68/CVE-2013-1709 (bmo#838253)
+ Document URI misrepresentation and masquerading
+ * MFSA 2013-69/CVE-2013-1710 (bmo#871368)
+ CRMF requests allow for code execution and XSS attacks
+ * MFSA 2013-70/CVE-2013-1711 (bmo#843829)
+ Bypass of XrayWrappers using XBL Scopes
+ * MFSA 2013-72/CVE-2013-1713 (bmo#887098)
+ Wrong principal used for validating URI for some Javascript
+ components
+ * MFSA 2013-73/CVE-2013-1714 (bmo#879787)
+ Same-origin bypass with web workers and XMLHttpRequest
+ * MFSA 2013-75/CVE-2013-1717 (bmo#406541, bmo#738397)
+ Local Java applets may read contents of local file system
+- requires NSPR 4.10 and NSS 3.15
+
+-------------------------------------------------------------------
+Wed Jul 3 17:14:35 UTC 2013 - dmueller@suse.com
+
+- fix build on ARM (/-g/ matches /-grecord-switches/)
+
+-------------------------------------------------------------------
+Sat Jun 22 17:48:06 UTC 2013 - wr@rosenauer.org
+
+- update to Firefox 22.0 (bnc#825935)
+ * removed obsolete patches
+ + mozilla-qcms-ppc.patch
+ + mozilla-gstreamer-760140.patch
+ * GStreamer support does not build on 12.1 anymore (build only
+ on 12.2 and later)
+ * MFSA 2013-49/CVE-2013-1682/CVE-2013-1683
+ Miscellaneous memory safety hazards
+ * MFSA 2013-50/CVE-2013-1684/CVE-2013-1685/CVE-2013-1686
+ Memory corruption found using Address Sanitizer
+ * MFSA 2013-51/CVE-2013-1687 (bmo#863933, bmo#866823)
+ Privileged content access and execution via XBL
+ * MFSA 2013-52/CVE-2013-1688 (bmo#873966)
+ Arbitrary code execution within Profiler
+ * MFSA 2013-53/CVE-2013-1690 (bmo#857883)
+ Execution of unmapped memory through onreadystatechange event
+ * MFSA 2013-54/CVE-2013-1692 (bmo#866915)
+ Data in the body of XHR HEAD requests leads to CSRF attacks
+ * MFSA 2013-55/CVE-2013-1693 (bmo#711043)
+ SVG filters can lead to information disclosure
+ * MFSA 2013-56/CVE-2013-1694 (bmo#848535)
+ PreserveWrapper has inconsistent behavior
+ * MFSA 2013-57/CVE-2013-1695 (bmo#849791)
+ Sandbox restrictions not applied to nested frame elements
+ * MFSA 2013-58/CVE-2013-1696 (bmo#761667)
+ X-Frame-Options ignored when using server push with multi-part
+ responses
+ * MFSA 2013-59/CVE-2013-1697 (bmo#858101)
+ XrayWrappers can be bypassed to run user defined methods in a
+ privileged context
+ * MFSA 2013-60/CVE-2013-1698 (bmo#876044)
+ getUserMedia permission dialog incorrectly displays location
+ * MFSA 2013-61/CVE-2013-1699 (bmo#840882)
+ Homograph domain spoofing in .com, .net and .name
+
+-------------------------------------------------------------------
+Tue Jun 11 21:06:58 UTC 2013 - dvaleev@suse.com
+
+- Fix qcms altivec include (mozilla-qcms-ppc.patch)
+
+-------------------------------------------------------------------
+Fri May 10 05:25:39 UTC 2013 - wr@rosenauer.org
+
+- update to Firefox 21.0 (bnc#819204)
+ * removed upstreamed patch firefox-712763.patch
+ * removed disabled mozilla-disable-neon-option.patch
+ * MFSA 2013-41/CVE-2013-0801/CVE-2013-1669
+ Miscellaneous memory safety hazards
+ * MFSA 2013-42/CVE-2013-1670 (bmo#853709)
+ Privileged access for content level constructor
+ * MFSA 2013-43/CVE-2013-1671 (bmo#842255)
+ File input control has access to full path
+ * MFSA 2013-46/CVE-2013-1674 (bmo#860971)
+ Use-after-free with video and onresize event
+ * MFSA 2013-47/CVE-2013-1675 (bmo#866825)
+ Uninitialized functions in DOMSVGZoomEvent
+ * MFSA 2013-48/CVE-2013-1676/CVE-2013-1677/CVE-2013-1678/
+ CVE-2013-1679/CVE-2013-1680/CVE-2013-1681
+ Memory corruption found using Address Sanitizer
+
+-------------------------------------------------------------------
+Tue Apr 9 06:41:31 UTC 2013 - wr@rosenauer.org
+
+- revert to use GStreamer 0.10 on 12.3 (bnc#814101)
+ (remove mozilla-gstreamer-1.patch)
+
+-------------------------------------------------------------------
+Fri Apr 5 17:04:11 UTC 2013 - schwab@linux-m68k.org
+
+- Explicitly disable WebRTC support on non-x86, the configure script
+ disables it only half-heartedly
+
+-------------------------------------------------------------------
+Fri Mar 29 22:15:21 UTC 2013 - wr@rosenauer.org
+
+- update to Firefox 20.0 (bnc#813026)
+ * requires NSPR 4.9.5 and NSS 3.14.3
+ * mozilla-webrtc-ppc.patch included upstream
+ * MFSA 2013-30/CVE-2013-0788/CVE-2013-0789
+ Miscellaneous memory safety hazards
+ * MFSA 2013-31/CVE-2013-0800 (bmo#825721)
+ Out-of-bounds write in Cairo library
+ * MFSA 2013-35/CVE-2013-0796 (bmo#827106)
+ WebGL crash with Mesa graphics driver on Linux
+ * MFSA 2013-36/CVE-2013-0795 (bmo#825697)
+ Bypass of SOW protections allows cloning of protected nodes
+ * MFSA 2013-37/CVE-2013-0794 (bmo#626775)
+ Bypass of tab-modal dialog origin disclosure
+ * MFSA 2013-38/CVE-2013-0793 (bmo#803870)
+ Cross-site scripting (XSS) using timed history navigations
+ * MFSA 2013-39/CVE-2013-0792 (bmo#722831)
+ Memory corruption while rendering grayscale PNG images
+- use GStreamer 1.0 starting with 12.3 (mozilla-gstreamer-1.patch)
+
+-------------------------------------------------------------------
+Tue Mar 12 23:08:15 UTC 2013 - dmueller@suse.com
+
+- build fixes for armv7hl:
+ * disable debug build as armv7hl does not have enough memory
+ * disable webrtc on armv7hl as it is non-compiling
+
+-------------------------------------------------------------------
+Thu Mar 7 19:03:32 UTC 2013 - wr@rosenauer.org
+
+- update to Firefox 19.0.2 (bnc#808243)
+ * MFSA 2013-29/CVE-2013-0787 (bmo#848644)
+ Use-after-free in HTML Editor
+
+-------------------------------------------------------------------
+Thu Feb 28 22:06:36 UTC 2013 - wr@rosenauer.org
+
+- update to Firefox 19.0.1
+ * blocklist updates
+
+-------------------------------------------------------------------
+Sat Feb 16 07:08:55 UTC 2013 - wr@rosenauer.org
+
+- update to Firefox 19.0 (bnc#804248)
+ * MFSA 2013-21/CVE-2013-0783/2013-0784
+ Miscellaneous memory safety hazards
+ * MFSA 2013-22/CVE-2013-0772 (bmo#801366)
+ Out-of-bounds read in image rendering
+ * MFSA 2013-23/CVE-2013-0765 (bmo#830614)
+ Wrapped WebIDL objects can be wrapped again
+ * MFSA 2013-24/CVE-2013-0773 (bmo#809652)
+ Web content bypass of COW and SOW security wrappers
+ * MFSA 2013-25/CVE-2013-0774 (bmo#827193)
+ Privacy leak in JavaScript Workers
+ * MFSA 2013-26/CVE-2013-0775 (bmo#831095)
+ Use-after-free in nsImageLoadingContent
+ * MFSA 2013-27/CVE-2013-0776 (bmo#796475)
+ Phishing on HTTPS connection through malicious proxy
+ * MFSA 2013-28/CVE-2013-0780/CVE-2013-0782/CVE-2013-0777/
+ CVE-2013-0778/CVE-2013-0779/CVE-2013-0781
+ Use-after-free, out of bounds read, and buffer overflow issues
+ found using Address Sanitizer
+- removed obsolete patches
+ * mozilla-webrtc.patch
+ * mozilla-gstreamer-803287.patch
+- added patch to fix session restore window order (bmo#712763)
+
+-------------------------------------------------------------------
+Sat Feb 2 08:40:52 UTC 2013 - wr@rosenauer.org
+
+- update to Firefox 18.0.2
+ * blocklist and CTP updates
+ * fixes in JS engine
+
+-------------------------------------------------------------------
+Wed Jan 16 20:51:55 UTC 2013 - wr@rosenauer.org
+
+- update to Firefox 18.0.1
+ * blocklist updates
+ * backed out bmo#677092 (removed patch)
+ * fixed problems involving HTTP proxy transactions
+
+-------------------------------------------------------------------
+Sat Jan 12 17:25:11 UTC 2013 - schwab@linux-m68k.org
+
+- Fix WebRTC to build on powerpc
+
+-------------------------------------------------------------------
+Sun Jan 6 21:54:18 UTC 2013 - wr@rosenauer.org
+
+- update to Firefox 18.0 (bnc#796895)
+ * MFSA 2013-01/CVE-2013-0749/CVE-2013-0769/CVE-2013-0770
+ Miscellaneous memory safety hazards
+ * MFSA 2013-02/CVE-2013-0760/CVE-2013-0762/CVE-2013-0766/CVE-2013-0767
+ CVE-2013-0761/CVE-2013-0763/CVE-2013-0771/CVE-2012-5829
+ Use-after-free and buffer overflow issues found using Address Sanitizer
+ * MFSA 2013-03/CVE-2013-0768 (bmo#815795)
+ Buffer Overflow in Canvas
+ * MFSA 2013-04/CVE-2012-0759 (bmo#802026)
+ URL spoofing in addressbar during page loads
+ * MFSA 2013-05/CVE-2013-0744 (bmo#814713)
+ Use-after-free when displaying table with many columns and column groups
+ * MFSA 2013-06/CVE-2013-0751 (bmo#790454)
+ Touch events are shared across iframes
+ * MFSA 2013-07/CVE-2013-0764 (bmo#804237)
+ Crash due to handling of SSL on threads
+ * MFSA 2013-08/CVE-2013-0745 (bmo#794158)
+ AutoWrapperChanger fails to keep objects alive during garbage collection
+ * MFSA 2013-09/CVE-2013-0746 (bmo#816842)
+ Compartment mismatch with quickstubs returned values
+ * MFSA 2013-10/CVE-2013-0747 (bmo#733305)
+ Event manipulation in plugin handler to bypass same-origin policy
+ * MFSA 2013-11/CVE-2013-0748 (bmo#806031)
+ Address space layout leaked in XBL objects
+ * MFSA 2013-12/CVE-2013-0750 (bmo#805121)
+ Buffer overflow in Javascript string concatenation
+ * MFSA 2013-13/CVE-2013-0752 (bmo#805024)
+ Memory corruption in XBL with XML bindings containing SVG
+ * MFSA 2013-14/CVE-2013-0757 (bmo#813901)
+ Chrome Object Wrapper (COW) bypass through changing prototype
+ * MFSA 2013-15/CVE-2013-0758 (bmo#813906)
+ Privilege escalation through plugin objects
+ * MFSA 2013-16/CVE-2013-0753 (bmo#814001)
+ Use-after-free in serializeToStream
+ * MFSA 2013-17/CVE-2013-0754 (bmo#814026)
+ Use-after-free in ListenerManager
+ * MFSA 2013-18/CVE-2013-0755 (bmo#814027)
+ Use-after-free in Vibrate
+ * MFSA 2013-19/CVE-2013-0756 (bmo#814029)
+ Use-after-free in Javascript Proxy objects
+- requires NSS 3.14.1 (MFSA 2013-20, CVE-2013-0743)
+- removed obsolete SLE11 patches (mozilla-gcc43*)
+- reenable WebRTC
+- added mozilla-libproxy-compat.patch for libproxy API compat
+ on openSUSE 11.2 and earlier
+- backed out restartless language packs as it broke multi-locale
+ setup (bmo#677092, bmo#818468)
+
+-------------------------------------------------------------------
+Thu Nov 29 19:56:51 UTC 2012 - wr@rosenauer.org
+
+- update to Firefox 17.0.1
+ * revert some useragent changes introduced in 17.0
+ * leaving private browsing with social enabled doesn't reset all
+ social components (bmo#815042)
+- fix KDE integration for file dialogs
+
+-------------------------------------------------------------------
+Tue Nov 20 19:52:02 UTC 2012 - wr@rosenauer.org
+
+- update to Firefox 17.0 (bnc#790140)
+ * MFSA 2012-91/CVE-2012-5842/CVE-2012-5843
+ Miscellaneous memory safety hazards
+ * MFSA 2012-92/CVE-2012-4202 (bmo#758200)
+ Buffer overflow while rendering GIF images
+ * MFSA 2012-93/CVE-2012-4201 (bmo#747607)
+ evalInSanbox location context incorrectly applied
+ * MFSA 2012-94/CVE-2012-5836 (bmo#792857)
+ Crash when combining SVG text on path with CSS
+ * MFSA 2012-95/CVE-2012-4203 (bmo#765628)
+ Javascript: URLs run in privileged context on New Tab page
+ * MFSA 2012-96/CVE-2012-4204 (bmo#778603)
+ Memory corruption in str_unescape
+ * MFSA 2012-97/CVE-2012-4205 (bmo#779821)
+ XMLHttpRequest inherits incorrect principal within sandbox
+ * MFSA 2012-99/CVE-2012-4208 (bmo#798264)
+ XrayWrappers exposes chrome-only properties when not in chrome
+ compartment
+ * MFSA 2012-100/CVE-2012-5841 (bmo#805807)
+ Improper security filtering for cross-origin wrappers
+ * MFSA 2012-101/CVE-2012-4207 (bmo#801681)
+ Improper character decoding in HZ-GB-2312 charset
+ * MFSA 2012-102/CVE-2012-5837 (bmo#800363)
+ Script entered into Developer Toolbar runs with chrome privileges
+ * MFSA 2012-103/CVE-2012-4209 (bmo#792405)
+ Frames can shadow top.location
+ * MFSA 2012-104/CVE-2012-4210 (bmo#796866)
+ CSS and HTML injection through Style Inspector
+ * MFSA 2012-105/CVE-2012-4214/CVE-2012-4215/CVE-2012-4216/
+ CVE-2012-5829/CVE-2012-5839/CVE-2012-5840/CVE-2012-4212/
+ CVE-2012-4213/CVE-2012-4217/CVE-2012-4218
+ Use-after-free and buffer overflow issues found using Address
+ Sanitizer
+ * MFSA 2012-106/CVE-2012-5830/CVE-2012-5833/CVE-2012-5835/CVE-2012-5838
+ Use-after-free, buffer overflow, and memory corruption issues
+ found using Address Sanitizer
+- rebased patches
+- disabled WebRTC since build is broken (bmo#776877)
+
+-------------------------------------------------------------------
+Tue Nov 20 15:42:55 UTC 2012 - pcerny@suse.com
+
+- build on SLE11
+ * mozilla-gcc43-enums.patch
+ * mozilla-gcc43-template_hacks.patch
+ * mozilla-gcc43-templates_instantiation.patch
+
+-------------------------------------------------------------------
+Wed Oct 24 08:27:29 UTC 2012 - wr@rosenauer.org
+
+- update to Firefox 16.0.2 (bnc#786522)
+ * MFSA 2012-90/CVE-2012-4194/CVE-2012-4195/CVE-2012-4196
+ (bmo#800666, bmo#793121, bmo#802557)
+ Fixes for Location object issues
+- bring back Obsoletes for libproxy's mozjs plugin for distributions
+ before 12.2 to avoid crashes
+
+-------------------------------------------------------------------
+Thu Oct 11 01:51:16 UTC 2012 - wr@rosenauer.org
+
+- update to Firefox 16.0.1 (bnc#783533)
+ * MFSA 2012-88/CVE-2012-4191 (bmo#798045)
+ Miscellaneous memory safety hazards
+ * MFSA 2012-89/CVE-2012-4192/CVE-2012-4193 (bmo#799952, bmo#720619)
+ defaultValue security checks not applied
+
+-------------------------------------------------------------------
+Sun Oct 7 21:40:14 UTC 2012 - wr@rosenauer.org
+
+- update to Firefox 16.0 (bnc#783533)
+ * MFSA 2012-74/CVE-2012-3982/CVE-2012-3983
+ Miscellaneous memory safety hazards
+ * MFSA 2012-75/CVE-2012-3984 (bmo#575294)
+ select element persistance allows for attacks
+ * MFSA 2012-76/CVE-2012-3985 (bmo#655649)
+ Continued access to initial origin after setting document.domain
+ * MFSA 2012-77/CVE-2012-3986 (bmo#775868)
+ Some DOMWindowUtils methods bypass security checks
+ * MFSA 2012-79/CVE-2012-3988 (bmo#725770)
+ DOS and crash with full screen and history navigation
+ * MFSA 2012-80/CVE-2012-3989 (bmo#783867)
+ Crash with invalid cast when using instanceof operator
+ * MFSA 2012-81/CVE-2012-3991 (bmo#783260)
+ GetProperty function can bypass security checks
+ * MFSA 2012-82/CVE-2012-3994 (bmo#765527)
+ top object and location property accessible by plugins
+ * MFSA 2012-83/CVE-2012-3993/CVE-2012-4184 (bmo#768101, bmo#780370)
+ Chrome Object Wrapper (COW) does not disallow acces to privileged
+ functions or properties
+ * MFSA 2012-84/CVE-2012-3992 (bmo#775009)
+ Spoofing and script injection through location.hash
+ * MFSA 2012-85/CVE-2012-3995/CVE-2012-4179/CVE-2012-4180/
+ CVE-2012-4181/CVE-2012-4182/CVE-2012-4183
+ Use-after-free, buffer overflow, and out of bounds read issues
+ found using Address Sanitizer
+ * MFSA 2012-86/CVE-2012-4185/CVE-2012-4186/CVE-2012-4187/
+ CVE-2012-4188
+ Heap memory corruption issues found using Address Sanitizer
+ * MFSA 2012-87/CVE-2012-3990 (bmo#787704)
+ Use-after-free in the IME State Manager
+- requires NSPR 4.9.2
+- improve GStreamer integration (bmo#760140)
+- removed upstreamed mozilla-crashreporter-restart-args.patch
+- webapprt now included
+- use kmozillahelper's new REVEAL command (bnc#777415)
+ (requires mozilla-kde4-integration >= 0.6.4)
+- updated translations-other with new languages
+
+-------------------------------------------------------------------
+Mon Sep 10 19:37:56 UTC 2012 - wr@rosenauer.org
+
+- update to Firefox 15.0.1 (bnc#779936)
+ * Sites visited while in Private Browsing mode could be found
+ through manual browser cache inspection (bmo#787743)
+
+-------------------------------------------------------------------
+Sun Aug 26 13:47:43 UTC 2012 - wr@rosenauer.org
+
+- update to Firefox 15.0 (bnc#777588)
+ * MFSA 2012-57/CVE-2012-1970
+ Miscellaneous memory safety hazards
+ * MFSA 2012-58/CVE-2012-1972/CVE-2012-1973/CVE-2012-1974/CVE-2012-1975
+ CVE-2012-1976/CVE-2012-3956/CVE-2012-3957/CVE-2012-3958/CVE-2012-3959
+ CVE-2012-3960/CVE-2012-3961/CVE-2012-3962/CVE-2012-3963/CVE-2012-3964
+ Use-after-free issues found using Address Sanitizer
+ * MFSA 2012-59/CVE-2012-1956 (bmo#756719)
+ Location object can be shadowed using Object.defineProperty
+ * MFSA 2012-60/CVE-2012-3965 (bmo#769108)
+ Escalation of privilege through about:newtab
+ * MFSA 2012-61/CVE-2012-3966 (bmo#775794, bmo#775793)
+ Memory corruption with bitmap format images with negative height
+ * MFSA 2012-62/CVE-2012-3967/CVE-2012-3968
+ WebGL use-after-free and memory corruption
+ * MFSA 2012-63/CVE-2012-3969/CVE-2012-3970
+ SVG buffer overflow and use-after-free issues
+ * MFSA 2012-64/CVE-2012-3971
+ Graphite 2 memory corruption
+ * MFSA 2012-65/CVE-2012-3972 (bmo#746855)
+ Out-of-bounds read in format-number in XSLT
+ * MFSA 2012-66/CVE-2012-3973 (bmo#757128)
+ HTTPMonitor extension allows for remote debugging without explicit
+ activation
+ * MFSA 2012-68/CVE-2012-3975 (bmo#770684)
+ DOMParser loads linked resources in extensions when parsing
+ text/html
+ * MFSA 2012-69/CVE-2012-3976 (bmo#768568)
+ Incorrect site SSL certificate data display
+ * MFSA 2012-70/CVE-2012-3978 (bmo#770429)
+ Location object security checks bypassed by chrome code
+ * MFSA 2012-72/CVE-2012-3980 (bmo#771859)
+ Web console eval capable of executing chrome-privileged code
+- fix HTML5 video crash with GStreamer enabled (bmo#761030)
+- GStreamer is only used for MP4 (no WebM, OGG)
+- updated filelist
+- moved browser specific preferences to correct location
+
+-------------------------------------------------------------------
+Sun Jul 29 08:34:39 UTC 2012 - aj@suse.de
+
+- Fix mozilla-kde.patch to include sys/resource.h for getrlimit etc (glibc 2.16)
+
+-------------------------------------------------------------------
+Sat Jul 14 19:31:51 UTC 2012 - wr@rosenauer.org
+
+- update to 14.0.1 (bnc#771583)
+ * MFSA 2012-42/CVE-2012-1949/CVE-2012-1948
+ Miscellaneous memory safety hazards
+ * MFSA 2012-43/CVE-2012-1950
+ Incorrect URL displayed in addressbar through drag and drop
+ * MFSA 2012-44/CVE-2012-1951/CVE-2012-1954/CVE-2012-1953/CVE-2012-1952
+ Gecko memory corruption
+ * MFSA 2012-45/CVE-2012-1955 (bmo#757376)
+ Spoofing issue with location
+ * MFSA 2012-46/CVE-2012-1966 (bmo#734076)
+ XSS through data: URLs
+ * MFSA 2012-47/CVE-2012-1957 (bmo#750096)
+ Improper filtering of javascript in HTML feed-view
+ * MFSA 2012-48/CVE-2012-1958 (bmo#750820)
+ use-after-free in nsGlobalWindow::PageHidden
+ * MFSA 2012-49/CVE-2012-1959 (bmo#754044, bmo#737559)
+ Same-compartment Security Wrappers can be bypassed
+ * MFSA 2012-50/CVE-2012-1960 (bmo#761014)
+ Out of bounds read in QCMS
+ * MFSA 2012-51/CVE-2012-1961 (bmo#761655)
+ X-Frame-Options header ignored when duplicated
+ * MFSA 2012-52/CVE-2012-1962 (bmo#764296)
+ JSDependentString::undepend string conversion results in memory
+ corruption
+ * MFSA 2012-53/CVE-2012-1963 (bmo#767778)
+ Content Security Policy 1.0 implementation errors cause data
+ leakage
+ * MFSA 2012-55/CVE-2012-1965 (bmo#758990)
+ feed: URLs with an innerURI inherit security context of page
+ * MFSA 2012-56/CVE-2012-1967 (bmo#758344)
+ Code execution through javascript: URLs
+- license change from tri license to MPL-2.0
+- fix crashreporter restart option (bmo#762780)
+- require NSS 3.13.5
+- remove mozjs pacrunner obsoletes again for now
+- adopted mozilla-prefer_plugin_pref.patch
+- PPC fixes:
+ * reenabled mozilla-yarr-pcre.patch to fix build for PPC
+ * add patches for bmo#750620 and bmo#746112
+ * fix xpcshell segfault on ppc
+
+-------------------------------------------------------------------
+Fri Jun 15 12:37:09 UTC 2012 - wr@rosenauer.org
+
+- update to Firefox 13.0.1
+ * bugfix release
+- obsolete libproxy's mozjs pacrunner (bnc#759123)
+
+-------------------------------------------------------------------
+Sat Jun 2 08:22:51 UTC 2012 - wr@rosenauer.org
+
+- update to Firefox 13.0 (bnc#765204)
+ * MFSA 2012-34/CVE-2012-1938/CVE-2012-1937/CVE-2011-3101
+ Miscellaneous memory safety hazards
+ * MFSA 2012-36/CVE-2012-1944 (bmo#751422)
+ Content Security Policy inline-script bypass
+ * MFSA 2012-37/CVE-2012-1945 (bmo#670514)
+ Information disclosure though Windows file shares and shortcut
+ files
+ * MFSA 2012-38/CVE-2012-1946 (bmo#750109)
+ Use-after-free while replacing/inserting a node in a document
+ * MFSA 2012-40/CVE-2012-1947/CVE-2012-1940/CVE-2012-1941
+ Buffer overflow and use-after-free issues found using Address
+ Sanitizer
+- require NSS 3.13.4
+ * MFSA 2012-39/CVE-2012-0441 (bmo#715073)
+- fix sound notifications when filename/path contains a whitespace
+ (bmo#749739)
+
+-------------------------------------------------------------------
+Wed May 23 14:40:16 UTC 2012 - adrian@suse.de
+
+- fix build on arm
+
+-------------------------------------------------------------------
+Wed May 16 05:34:01 UTC 2012 - wr@rosenauer.org
+
+- reenabled crashreporter for Factory/12.2
+ (fix in mozilla-gcc47.patch)
+
+-------------------------------------------------------------------
+Sat Apr 21 10:02:37 UTC 2012 - wr@rosenauer.org
+
+- update to Firefox 12.0 (bnc#758408)
+ * rebased patches
+ * MFSA 2012-20/CVE-2012-0467/CVE-2012-0468
+ Miscellaneous memory safety hazards
+ * MFSA 2012-22/CVE-2012-0469 (bmo#738985)
+ use-after-free in IDBKeyRange
+ * MFSA 2012-23/CVE-2012-0470 (bmo#734288)
+ Invalid frees causes heap corruption in gfxImageSurface
+ * MFSA 2012-24/CVE-2012-0471 (bmo#715319)
+ Potential XSS via multibyte content processing errors
+ * MFSA 2012-25/CVE-2012-0472 (bmo#744480)
+ Potential memory corruption during font rendering using cairo-dwrite
+ * MFSA 2012-26/CVE-2012-0473 (bmo#743475)
+ WebGL.drawElements may read illegal video memory due to
+ FindMaxUshortElement error
+ * MFSA 2012-27/CVE-2012-0474 (bmo#687745, bmo#737307)
+ Page load short-circuit can lead to XSS
+ * MFSA 2012-28/CVE-2012-0475 (bmo#694576)
+ Ambiguous IPv6 in Origin headers may bypass webserver access
+ restrictions
+ * MFSA 2012-29/CVE-2012-0477 (bmo#718573)
+ Potential XSS through ISO-2022-KR/ISO-2022-CN decoding issues
+ * MFSA 2012-30/CVE-2012-0478 (bmo#727547)
+ Crash with WebGL content using textImage2D
+ * MFSA 2012-31/CVE-2011-3062 (bmo#739925)
+ Off-by-one error in OpenType Sanitizer
+ * MFSA 2012-32/CVE-2011-1187 (bmo#624621)
+ HTTP Redirections and remote content can be read by javascript errors
+ * MFSA 2012-33/CVE-2012-0479 (bmo#714631)
+ Potential site identity spoofing when loading RSS and Atom feeds
+- added mozilla-libnotify.patch to allow fallback from libnotify
+ to xul based events if no notification-daemon is running
+- gcc 4.7 fixes
+ * mozilla-gcc47.patch
+ * disabled crashreporter temporarily for Factory
+- recommend libcanberra0 for proper sound notifications
+
+-------------------------------------------------------------------
+Fri Mar 9 21:47:07 UTC 2012 - wr@rosenauer.org
+
+- update to Firefox 11.0 (bnc#750044)
+ * MFSA 2012-13/CVE-2012-0455 (bmo#704354)
+ XSS with Drag and Drop and Javascript: URL
+ * MFSA 2012-14/CVE-2012-0456/CVE-2012-0457 (bmo#711653, #720103)
+ SVG issues found with Address Sanitizer
+ * MFSA 2012-15/CVE-2012-0451 (bmo#717511)
+ XSS with multiple Content Security Policy headers
+ * MFSA 2012-16/CVE-2012-0458
+ Escalation of privilege with Javascript: URL as home page
+ * MFSA 2012-17/CVE-2012-0459 (bmo#723446)
+ Crash when accessing keyframe cssText after dynamic modification
+ * MFSA 2012-18/CVE-2012-0460 (bmo#727303)
+ window.fullScreen writeable by untrusted content
+ * MFSA 2012-19/CVE-2012-0461/CVE-2012-0462/CVE-2012-0464/
+ CVE-2012-0463
+ Miscellaneous memory safety hazards
+- ported and reenabled KDE integration (bnc#746591)
+- explicitely build-require X libs
+
+-------------------------------------------------------------------
+Mon Mar 5 13:31:48 UTC 2012 - vdziewiecki@suse.com
+
+- add Provides: browser(npapi) FATE#313084
+
+-------------------------------------------------------------------
+Fri Feb 17 17:41:11 UTC 2012 - pcerny@suse.com
+
+- better plugin directory resolution (bnc#747320)
+
+-------------------------------------------------------------------
+Thu Feb 16 08:47:31 UTC 2012 - wr@rosenauer.org
+
+- update to Firefox 10.0.2 (bnc#747328)
+ * CVE-2011-3026 (bmo#727401)
+ libpng: integer overflow leading to heap-buffer overflow
+
+-------------------------------------------------------------------
+Thu Feb 9 09:26:11 UTC 2012 - wr@rosenauer.org
+
+- update to Firefox 10.0.1 (bnc#746616)
+ * MFSA 2012-10/CVE-2012-0452 (bmo#724284)
+ use after free in nsXBLDocumentInfo::ReadPrototypeBindings
+
+-------------------------------------------------------------------
+Tue Feb 7 10:40:58 UTC 2012 - dvaleev@suse.com
+
+- Use YARR interpreter instead of PCRE on platforms where YARR JIT
+ is not supported, since PCRE doesnt build (bmo#691898)
+- fix ppc64 build (bmo#703534)
+
+-------------------------------------------------------------------
+Mon Jan 30 09:41:59 UTC 2012 - wr@rosenauer.org
+
+- update to Firefox 10.0 (bnc#744275)
+ * MFSA 2012-01/CVE-2012-0442/CVE-2012-0443
+ Miscellaneous memory safety hazards
+ * MFSA 2012-03/CVE-2012-0445 (bmo#701071)
+ <iframe> element exposed across domains via name attribute
+ * MFSA 2012-04/CVE-2011-3659 (bmo#708198)
+ Child nodes from nsDOMAttribute still accessible after removal
+ of nodes
+ * MFSA 2012-05/CVE-2012-0446 (bmo#705651)
+ Frame scripts calling into untrusted objects bypass security
+ checks
+ * MFSA 2012-06/CVE-2012-0447 (bmo#710079)
+ Uninitialized memory appended when encoding icon images may
+ cause information disclosure
+ * MFSA 2012-07/CVE-2012-0444 (bmo#719612)
+ Potential Memory Corruption When Decoding Ogg Vorbis files
+ * MFSA 2012-08/CVE-2012-0449 (bmo#701806, bmo#702466)
+ Crash with malformed embedded XSLT stylesheets
+- KDE integration has been disabled since it needs refactoring
+- removed obsolete ppc64 patch
+
+-------------------------------------------------------------------
+Sun Jan 22 12:08:07 UTC 2012 - joop.boonen@opensuse.org
+
+- Disable neon for arm as it doesn't build correctly
+
+-------------------------------------------------------------------
+Fri Dec 23 17:02:01 UTC 2011 - wr@rosenauer.org
+
+- update to Firefox 9.0.1
+ * (strongparent) parentNode of element gets lost (bmo#335998)
+
+-------------------------------------------------------------------
+Sun Dec 18 09:58:52 UTC 2011 - adrian@suse.de
+
+- fix arm build, don't package crashreporter there
+
+-------------------------------------------------------------------
+Sun Dec 18 09:52:08 UTC 2011 - wr@rosenauer.org
+
+- update to Firefox 9 (bnc#737533)
+ * MFSA 2011-53/CVE-2011-3660
+ Miscellaneous memory safety hazards (rv:9.0)
+ * MFSA 2011-54/CVE-2011-3661 (bmo#691299)
+ Potentially exploitable crash in the YARR regular expression
+ library
+ * MFSA 2011-55/CVE-2011-3658 (bmo#708186)
+ nsSVGValue out-of-bounds access
+ * MFSA 2011-56/CVE-2011-3663 (bmo#704482)
+ Key detection without JavaScript via SVG animation
+ * MFSA 2011-58/VE-2011-3665 (bmo#701259)
+ Crash scaling <video> to extreme sizes
+
+-------------------------------------------------------------------
+Sun Nov 27 03:51:54 UTC 2011 - mgorse@suse.com
+
+- Fix accessibility under GNOME 3 (bnc#732898)
+
+-------------------------------------------------------------------
+Sat Nov 12 15:16:38 UTC 2011 - dvaleev@suse.com
+
+- fix ppc64 build
+
+-------------------------------------------------------------------
+Sun Nov 6 08:20:59 UTC 2011 - wr@rosenauer.org
+
+- update to Firefox 8 (bnc#728520)
+ * MFSA 2011-47/CVE-2011-3648 (bmo#690225)
+ Potential XSS against sites using Shift-JIS
+ * MFSA 2011-48/CVE-2011-3651/CVE-2011-3652/CVE-2011-3654
+ Miscellaneous memory safety hazards
+ * MFSA 2011-49/CVE-2011-3650 (bmo#674776)
+ Memory corruption while profiling using Firebug
+ * MFSA 2011-52/CVE-2011-3655 (bmo#672182)
+ Code execution via NoWaiverWrapper
+- rebased patches
+
+-------------------------------------------------------------------
+Thu Oct 20 12:34:47 UTC 2011 - wr@rosenauer.org
+
+- enable telemetry prompt
+
+-------------------------------------------------------------------
+Fri Sep 30 10:52:36 UTC 2011 - wr@rosenauer.org
+
+- update to minor release 7.0.1
+ * fixed staged addon updates
+- set intl.locale.matchOS=true in the base package as it causes
+ too much confusion when it's only available with branding-openSUSE
+
+-------------------------------------------------------------------
+Fri Sep 23 11:22:22 UTC 2011 - wr@rosenauer.org
+
+- update to Firefox 7 (bnc#720264)
+ including
+ * Improve Responsiveness with Memory Reductions
+ * Instant Sync
+ * WebSocket protocol 8
+ * MFSA 2011-36/CVE-2011-2995/CVE-2011-2996/CVE-2011-2997
+ Miscellaneous memory safety hazards
+ * MFSA 2011-39/CVE-2011-3000 (bmo#655389)
+ Defense against multiple Location headers due to CRLF Injection
+ * MFSA 2011-40/CVE-2011-2372/CVE-2011-3001
+ Code installation through holding down Enter
+ * MFSA 2011-41/CVE-2011-3002/CVE-2011-3003 (bmo#680840, bmo#682335)
+ Potentially exploitable WebGL crashes
+ * MFSA 2011-42/CVE-2011-3232 (bmo#653672)
+ Potentially exploitable crash in the YARR regular expression
+ library
+ * MFSA 2011-43/CVE-2011-3004 (bmo#653926)
+ loadSubScript unwraps XPCNativeWrapper scope parameter
+ * MFSA 2011-44/CVE-2011-3005 (bmo#675747)
+ Use after free reading OGG headers
+ * MFSA 2011-45
+ Inferring keystrokes from motion data
+- removed obsolete mozilla-cairo-lcd.patch
+- rebased patches
+- removed XLIB_SKIP_ARGB_VISUALS=1 from environment in
+ mozilla.sh.in (bnc#680758)
+
+-------------------------------------------------------------------
+Fri Sep 16 06:57:38 UTC 2011 - wr@rosenauer.org
+
+- fixed loading of kde.js under KDE (bnc#718311)
+
+-------------------------------------------------------------------
+Wed Sep 14 07:02:04 UTC 2011 - wr@rosenauer.org
+
+- add dbus-1-glib-devel to BuildRequires (not pulled in
+ automatically anymore on 12.1)
+- increase minversions for NSPR and NSS
+
+-------------------------------------------------------------------
+Fri Sep 9 20:44:15 UTC 2011 - wr@rosenauer.org
+
+- recreated source archive to get correct source-stamp.txt
+
+-------------------------------------------------------------------
+Wed Sep 7 14:30:34 UTC 2011 - pcerny@suse.com
+
+- security update to 6.0.2 (bnc#714931)
+ * Complete blocking of certificates issued by DigiNotar
+ (bmo#683449)
+
+-------------------------------------------------------------------
+Fri Sep 2 14:40:07 UTC 2011 - pcerny@suse.com
+
+- security update to 6.0.1 (bnc#714931)
+ * MFSA 2011-34
+ Protection against fraudulent DigiNotar certificates
+ (bmo#682927)
+
+-------------------------------------------------------------------
+Fri Aug 12 21:16:19 UTC 2011 - wr@rosenauer.org
+
+- update to 6.0 (bnc#712224)
+ included security fixes MFSA 2011-29
+ * CVE-2011-2989/CVE-2011-2991/CVE-2011-2992/CVE-2011-2985
+ Miscellaneous memory safety hazards
+ * CVE-2011-2993 (bmo#657267)
+ Unsigned scripts can call script inside signed JAR
+ * CVE-2011-2988 (bmo#665934)
+ Heap overflow in ANGLE library
+ * CVE-2011-0084 (bmo#648094)
+ Crash in SVGTextElement.getCharNumAtPosition()
+ * CVE-2011-2990
+ Credential leakage using Content Security Policy reports
+ * CVE-2011-2986 (bmo#655836)
+ Cross-origin data theft using canvas and Windows D2D
+- removed obsolete curl header dependency (mozilla-curl.patch)
+
+-------------------------------------------------------------------
+Fri Jul 22 13:34:12 UTC 2011 - wr@rosenauer.org
+
+- update to 6.0b3
+ * removed obsolete patches
+ - firefox-shellservice.patch
+ - mozilla-gio.patch
+ - mozilla-ppc-ipc.patch
+ - firefox-linkorder.patch
+ - firefox-no-sync-l10n.patch
+- recognize linux3 as platform for symbolstore.py
+
+-------------------------------------------------------------------
+Fri Jul 1 19:53:18 CEST 2011 - vuntz@opensuse.org
+
+- Add x-scheme-handler/ftp to the MimeType key in the .desktop, to
+ let desktops know that Firefox can deal with ftp: URIs.
+
+-------------------------------------------------------------------
+Fri Jul 1 06:45:08 UTC 2011 - wr@rosenauer.org
+
+- create upstream branding package again (supposedly empty)
+ (bnc#703401)
+- fix build on SLE11 (changes do not affect/are not applied for
+ later versions)
+
+-------------------------------------------------------------------
+Wed Jun 22 06:41:17 UTC 2011 - wr@rosenauer.org
+
+- enable startup notification (bnc#701465)
+
+-------------------------------------------------------------------
+Mon Jun 20 19:37:01 UTC 2011 - wr@rosenauer.org
+
+- update to 5.0 final
+- included fixes for security issues: (bnc#701296, bnc#700578)
+ * MFSA 2011-19/CVE-2011-2374 CVE-2011-2375
+ Miscellaneous memory safety hazards
+ * MFSA 2011-20/CVE-2011-2373 (bmo#617247)
+ Use-after-free vulnerability when viewing XUL document with
+ script disabled
+ * MFSA 2011-21/CVE-2011-2377 (bmo#638018, bmo#639303)
+ Memory corruption due to multipart/x-mixed-replace images
+ * MFSA 2011-22/CVE-2011-2371 (bmo#664009)
+ Integer overflow and arbitrary code execution in
+ Array.reduceRight()
+ * MFSA 2011-25/CVE-2011-2366
+ Stealing of cross-domain images using WebGL textures
+ * MFSA 2011-26/CVE-2011-2367 CVE-2011-2368
+ Multiple WebGL crashes
+ * MFSA 2011-27/CVE-2011-2369 (bmo#650001)
+ XSS encoding hazard with inline SVG
+ * MFSA 2011-28/CVE-2011-2370 (bmo#645699)
+ Non-whitelisted site can trigger xpinstall
+
+-------------------------------------------------------------------
+Mon Jun 20 09:17:42 UTC 2011 - wr@rosenauer.org
+
+- update to 5.0b7
+ * updated supported locales
+- do not build dump_syms static (not needed for us)
+ -> fix build for openSUSE 12.1 and above
+
+-------------------------------------------------------------------
+Wed Jun 15 14:59:32 UTC 2011 - wr@rosenauer.org
+
+- update to 5.0b6
+- include proper revision information into the build
+- speedier find-external-requires.sh
+
+-------------------------------------------------------------------
+Tue May 31 06:53:55 UTC 2011 - wr@rosenauer.org
+
+- update to 5.0b3
+- transformed to standalone Firefox (not xulrunner based)
+ (with new Firefox rapid release cycle it makes no sense anymore)
+ * imported all relevant xulrunner patches
+- do not compile in build timestamp
+
+-------------------------------------------------------------------
+Fri Apr 15 07:08:53 UTC 2011 - wr@rosenauer.org
+
+- security update to 4.0.1 (bnc#689281)
+ * MFSA 2011-12/ CVE-2011-0069 CVE-2011-0070 CVE-2011-0079
+ CVE-2011-0080 CVE-2011-0081
+ Miscellaneous memory safety hazards
+ * MFSA 2011-17/CVE-2011-0068 (bmo#623791)
+ WebGLES vulnerabilities
+ * MFSA 2011-18/CVE-2011-1202 (bmo#640339)
+ XSLT generate-id() function heap address leak
+
+-------------------------------------------------------------------
+Wed Mar 30 11:24:36 UTC 2011 - wr@rosenauer.org
+
+- add all available icon sizes
+
+-------------------------------------------------------------------
+Tue Mar 29 11:55:53 UTC 2011 - cfarrell@novell.com
+
+- license update: MPLv1.1 or GPLv2+ or LGPLv2+
+ Sync licenses with Fedora. MPL does not state ^or later^
+
+-------------------------------------------------------------------
+Fri Mar 18 08:49:15 UTC 2011 - wr@rosenauer.org
+
+- update to version 4.0rc2
+- fixed rpm macros delivered with devel package (bnc#679950)
+
+-------------------------------------------------------------------
+Wed Feb 23 07:52:04 UTC 2011 - wr@rosenauer.org
+
+- update to version 4.0b12
+- rebased patches
+
+-------------------------------------------------------------------
+Fri Feb 4 09:32:50 UTC 2011 - wr@rosenauer.org
+
+- update to version 4.0b11
+ * loads of bugfixes compared to last beta
+ * added "Do Not Track" option
+- rebased patches
+- disable testpilot
+
+-------------------------------------------------------------------
+Fri Jan 28 08:56:12 UTC 2011 - wr@rosenauer.org
+
+- set correct desktop file name within KDE for 11.4 and up
+- add devel package with macros for extensions (from lnussel@suse.de)
+
+-------------------------------------------------------------------
+Sat Jan 22 22:21:52 UTC 2011 - wr@rosenauer.org
+
+- update to version 4.0b10
+- removed obsolete firefox-shell-bmo624267.patch
+- testpilot moved to distribution/extensions
+- updated locale provides and removed bn-IN from locales
+
+-------------------------------------------------------------------
+Tue Jan 11 06:13:40 UTC 2011 - wr@rosenauer.org
+
+- update to version 4.0b9
+- added x-scheme-handler for http and https to desktop file for
+ newer Gnome environments
+- fixed default browser check/set for GIO (bmo#611953)
+ (mozilla-shellservice.patch)
+- removed obsolete firefox-appname.patch (integrated into
+ shellservice patch)
+- renamed desktop file to firefox.desktop for 11.4 and newer
+ (bnc#664211)
+- removed support for 10.3 and older from the spec file
+- removed obsolete "Ximian" categories from desktop file
+
+-------------------------------------------------------------------
+Mon Jan 3 17:35:46 CET 2011 - meissner@suse.de
+
+- Mirror ac_add_options --disable-ipc from xulrunner for PowerPC.
+
+-------------------------------------------------------------------
+Wed Dec 15 07:49:45 UTC 2010 - wr@rosenauer.org
+
+- update to version 4.0beta8
+
+-------------------------------------------------------------------
+Tue Nov 30 14:19:59 UTC 2010 - wr@rosenauer.org
+
+- major update to version 4.0beta7
+ * based on mozilla-xulrunner20
+ * far too many internal changes to list
+
+-------------------------------------------------------------------
+Wed Oct 27 07:12:14 CEST 2010 - wr@rosenauer.org
+
+- security update to 3.6.12 (bnc#649492)
+ * MFSA 2010-73/CVE-2010-3765 (bmo#607222)
+ Heap buffer overflow mixing document.write and DOM insertion
+
+-------------------------------------------------------------------
+Wed Oct 6 07:13:52 CEST 2010 - wr@rosenauer.org
+
+- security update to 3.6.11 (bnc#645315)
+ * MFSA 2010-64/CVE-2010-3174/CVE-2010-3175/CVE-2010-3176
+ Miscellaneous memory safety hazards
+ * MFSA 2010-65/CVE-2010-3179 (bmo#583077)
+ Buffer overflow and memory corruption using document.write
+ * MFSA 2010-66/CVE-2010-3180 (bmo#588929)
+ Use-after-free error in nsBarProp
+ * MFSA 2010-67/CVE-2010-3183 (bmo#598669)
+ Dangling pointer vulnerability in LookupGetterOrSetter
+ * MFSA 2010-68/CVE-2010-3177 (bmo#556734)
+ XSS in gopher parser when parsing hrefs
+ * MFSA 2010-69/CVE-2010-3178 (bmo#576616)
+ Cross-site information disclosure via modal calls
+ * MFSA 2010-70/CVE-2010-3170 (bmo#578697)
+ SSL wildcard certificate matching IP addresses
+ * MFSA 2010-71/CVE-2010-3182 (bmo#590753)
+ Unsafe library loading vulnerabilities
+ * MFSA 2010-72/CVE-2010-3173
+ Insecure Diffie-Hellman key exchange
+
+-------------------------------------------------------------------
+Wed Sep 15 07:39:22 CEST 2010 - wr@rosenauer.org
+
+- update to 3.6.10
+ * fixing startup topcrash (bmo#594699)
+
+-------------------------------------------------------------------
+Thu Aug 26 07:40:28 CEST 2010 - wr@rosenauer.org
+
+- security update to 3.6.9 (bnc#637303)
+ * MFSA 2010-49/CVE-2010-3169
+ Miscellaneous memory safety hazards
+ * MFSA 2010-50/CVE-2010-2765 (bmo#576447)
+ Frameset integer overflow vulnerability
+ * MFSA 2010-51/CVE-2010-2767 (bmo#584512)
+ Dangling pointer vulnerability using DOM plugin array
+ * MFSA 2010-53/CVE-2010-3166 (bmo#579655)
+ Heap buffer overflow in nsTextFrameUtils::TransformText
+ * MFSA 2010-54/CVE-2010-2760 (bmo#585815)
+ Dangling pointer vulnerability in nsTreeSelection
+ * MFSA 2010-55/CVE-2010-3168 (bmo#576075)
+ XUL tree removal crash and remote code execution
+ * MFSA 2010-56/CVE-2010-3167 (bmo#576070)
+ Dangling pointer vulnerability in nsTreeContentView
+ * MFSA 2010-57/CVE-2010-2766 (bmo#580445)
+ Crash and remote code execution in normalizeDocument
+ * MFSA 2010-59/CVE-2010-2762 (bmo#584180)
+ SJOW creates scope chains ending in outer object
+ * MFSA 2010-61/CVE-2010-2768 (bmo#579744)
+ UTF-7 XSS by overriding document charset using <object> type
+ attribute
+ * MFSA 2010-62/CVE-2010-2769 (bmo#520189)
+ Copy-and-paste or drag-and-drop into designMode document allows
+ XSS
+ * MFSA 2010-63/CVE-2010-2764 (bmo#552090)
+ Information leak via XMLHttpRequest statusText
+
+-------------------------------------------------------------------
+Wed Jul 28 08:33:14 CEST 2010 - meissner@suse.de
+
+- disable crash reporter for non x86/x86_64 to make it build.
+
+-------------------------------------------------------------------
+Sat Jul 24 12:42:58 CEST 2010 - wr@rosenauer.org
+
+- security update to 3.6.8 (bnc#622506)
+ * MFSA 2010-48/CVE-2010-2755 (bmo#575836)
+ Dangling pointer crash regression from plugin parameter array
+ fix
+
+-------------------------------------------------------------------
+Fri Jul 16 06:48:44 CEST 2010 - wr@rosenauer.org
+
+- security update to 3.6.7 (bnc#622506)
+ * MFSA 2010-34/CVE-2010-1211/CVE-2010-1212
+ Miscellaneous memory safety hazards
+ * MFSA 2010-35/CVE-2010-1208 (bmo#572986)
+ DOM attribute cloning remote code execution vulnerability
+ * MFSA 2010-36/CVE-2010-1209 (bmo#552110)
+ Use-after-free error in NodeIterator
+ * MFSA 2010-37/CVE-2010-1214 (bmo#572985)
+ Plugin parameter EnsureCachedAttrParamArrays remote code
+ execution vulnerability
+ * MFSA 2010-38/CVE-2010-1215 (bmo#567069)
+ Arbitrary code execution using SJOW and fast native function
+ * MFSA 2010-39/CVE-2010-2752 (bmo#574059)
+ nsCSSValue::Array index integer overflow
+ * MFSA 2010-40/CVE-2010-2753 (bmo#571106)
+ nsTreeSelection dangling pointer remote code execution
+ vulnerability
+ * MFSA 2010-41/CVE-2010-1205 (bmo#570451)
+ Remote code execution using malformed PNG image
+ * MFSA 2010-42/CVE-2010-1213 (bmo#568148)
+ Cross-origin data disclosure via Web Workers and importScripts
+ * MFSA 2010-43/CVE-2010-1207 (bmo#571287)
+ Same-origin bypass using canvas context
+ * MFSA 2010-44/CVE-2010-1210 (bmo#564679)
+ Characters mapped to U+FFFD in 8 bit encodings cause subsequent
+ character to vanish
+ * MFSA 2010-45/CVE-2010-1206/CVE-2010-2751 (bmo#536466,556957)
+ Multiple location bar spoofing vulnerabilities
+ * MFSA 2010-46/CVE-2010-0654 (bmo#524223)
+ Cross-domain data theft using CSS
+ * MFSA 2010-47/CVE-2010-2754 (bmo#568564)
+ Cross-origin data leakage from script filename in error messages
+
+-------------------------------------------------------------------
+Sun Jun 27 20:24:31 CEST 2010 - wr@rosenauer.org
+
+- update to 3.6.6 release
+ * modifies the crash protection feature to increase the amount
+ of time that plugins are allowed to be non-responsive before
+ being terminated.
+
+-------------------------------------------------------------------
+Wed Jun 23 14:40:35 CEST 2010 - wr@rosenauer.org
+
+- update to final 3.6.4 release (bnc#603356)
+ * MFSA 2010-26/CVE-2010-1200/CVE-2010-1201/CVE-2010-1202/
+ CVE-2010-1203
+ Crashes with evidence of memory corruption (rv:1.9.2.4)
+ * MFSA 2010-28/CVE-2010-1198 (bmo#532246)
+ Freed object reuse across plugin instances
+ * MFSA 2010-29/CVE-2010-1196 (bmo#534666)
+ Heap buffer overflow in nsGenericDOMDataNode::SetTextInternal
+ * MFSA 2010-30/CVE-2010-1199 (bmo#554255)
+ Integer Overflow in XSLT Node Sorting
+ * MFSA 2010-31/CVE-2010-1125 (bmo#552255)
+ focus() behavior can be used to inject or steal keystrokes
+ * MFSA 2010-32/CVE-2010-1197 (bmo#537120)
+ Content-Disposition: attachment ignored if
+ Content-Type: multipart also present
+ * MFSA 2010-33/CVE-2008-5913 (bmo#475585)
+ User tracking across sites using Math.random()
+
+-------------------------------------------------------------------
+Mon Jun 7 07:07:33 CEST 2010 - wr@rosenauer.org
+
+- update to 3.6.4(build6)
+
+-------------------------------------------------------------------
+Sun Apr 18 09:42:40 CEST 2010 - wr@rosenauer.org
+
+- security update to 3.6.4 (Lorentz)
+ * enable crashreporter also for x86-64
+ * Flash runs in a separate process to avoid crashing Firefox
+ (ix86 only; x86-64 still uses nspluginwrapper)
+
+-------------------------------------------------------------------
+Thu Apr 1 11:15:38 UTC 2010 - wr@rosenauer.org
+
+- security update to 3.6.3
+ * MFSA 2010-25/CVE-2010-1121 (bmo#555109)
+ Re-use of freed object due to scope confusion
+
+-------------------------------------------------------------------
+Thu Mar 18 06:43:33 CET 2010 - wr@rosenauer.org
+
+- security update to version 3.6.2 (bnc#586567)
+ * MFSA 2010-08/CVE-2010-1028
+ WOFF heap corruption due to integer overflow
+ * MFSA 2010-09/CVE-2010-0164 (bmo#547143)
+ Deleted frame reuse in multipart/x-mixed-replace image
+ * MFSA 2010-10/CVE-2010-0170 (bmo#541530)
+ XSS via plugins and unprotected Location object
+ * MFSA 2010-11/CVE-2010-0165/CVE-2010-0166/CVE-2010-0167
+ Crashes with evidence of memory corruption
+ * MFSA 2010-12/CVE-2010-0171 (bmo#531364)
+ XSS using addEventListener and setTimeout on a wrapped object
+ * MFSA 2010-13/CVE-2010-0168 (bmo#540642)
+ Content policy bypass with image preloading
+ * MFSA 2010-14/CVE-2010-0169 (bmo#535806)
+ Browser chrome defacement via cached XUL stylesheets
+ * MFSA 2010-15/CVE-2010-0172 (bmo#537862)
+ Asynchronous Auth Prompt attaches to wrong window
+ * MFSA 2010-16/CVE-2010-0173/CVE-2010-0174
+ Crashes with evidence of memory corruption
+ * MFSA 2010-18/CVE-2010-0176 (bmo#538308)
+ Dangling pointer vulnerability in nsTreeContentView
+ * MFSA 2010-19/CVE-2010-0177 (bmo#538310)
+ Dangling pointer vulnerability in nsPluginArray
+ * MFSA 2010-20/CVE-2010-0178 (bmo#546909)
+ Chrome privilege escalation via forced URL drag and drop
+ * MFSA 2010-22/CVE-2009-3555 (bmo#545755)
+ Update NSS to support TLS renegotiation indication
+ * MFSA 2010-23/CVE-2010-0181 (bmo#452093)
+ Image src redirect to mailto: URL opens email editor
+ * MFSA 2010-24/CVE-2010-0182 (bmo#490790)
+ XMLDocument::load() doesn't check nsIContentPolicy
+
+-------------------------------------------------------------------
+Mon Jan 18 09:42:50 CET 2010 - wr@rosenauer.org
+
+- update to 3.6rc2 (already named 3.6.0)
+- removed obsolete orbit-devel build requirement
+
+-------------------------------------------------------------------
+Wed Jan 6 17:15:40 CET 2010 - wr@rosenauer.org
+
+- major update to 3.6rc1
+
+-------------------------------------------------------------------
+Fri Dec 25 09:39:42 CET 2009 - wr@rosenauer.org
+
+- update to version 3.5.7 (bnc#568011)
+ * DNS resolution in MakeSN of nsAuthSSPI causing issues for
+ proxy servers that support NTLM auth (bmo#535193)
+- added missing lockdown preferences (bnc#567131)
+
+-------------------------------------------------------------------
+Thu Dec 17 20:06:38 CET 2009 - wr@rosenauer.org
+
+- readded firefox-ui-lockdown.patch (bnc#546158)
+
+-------------------------------------------------------------------
+Thu Dec 3 21:53:59 CET 2009 - wr@rosenauer.org
+
+- security update to version 3.5.6 (bnc#559807)
+ * MFSA 2009-65/CVE-2009-3979/CVE-2009-3980/CVE-2009-3982
+ Crashes with evidence of memory corruption (rv:1.9.1.6)
+ * MFSA 2009-66/CVE-2009-3388 (bmo#504843,bmo#523816)
+ Memory safety fixes in liboggplay media library
+ * MFSA 2009-67/CVE-2009-3389 (bmo#515882,bmo#504613)
+ Integer overflow, crash in libtheora video library
+ * MFSA 2009-68/CVE-2009-3983 (bmo#487872)
+ NTLM reflection vulnerability
+ * MFSA 2009-69/CVE-2009-3984/CVE-2009-3985 (bmo#521461,bmo#514232)
+ Location bar spoofing vulnerabilities
+ * MFSA 2009-70/VE-2009-3986 (bmo#522430)
+ Privilege escalation via chrome window.opener
+- fixed firefox-browser-css.patch (bnc#561027)
+
+-------------------------------------------------------------------
+Mon Nov 23 22:31:21 CET 2009 - wr@rosenauer.org
+
+- rebased patches for fuzz=0
+
+-------------------------------------------------------------------
+Thu Nov 5 19:49:33 UTC 2009 - wr@rosenauer.org
+
+- update to version 3.5.5 (bnc#553172)
+
+-------------------------------------------------------------------
+Sat Oct 17 23:19:23 CEST 2009 - wr@rosenauer.org
+
+- security update to version 3.5.4 (bnc#545277)
+ * MFSA 2009-52/CVE-2009-3370 (bmo#511615)
+ Form history vulnerable to stealing
+ * MFSA 2009-53/CVE-2009-3274 (bmo#514823)
+ Local downloaded file tampering
+ * MFSA 2009-54/CVE-2009-3371 (bmo#514554)
+ Crash with recursive web-worker calls
+ * MFSA 2009-55/CVE-2009-3372 (bmo#500644)
+ Crash in proxy auto-configuration regexp parsing
+ * MFSA 2009-56/CVE-2009-3373 (bmo#511689)
+ Heap buffer overflow in GIF color map parser
+ * MFSA 2009-57/CVE-2009-3374 (bmo#505988)
+ Chrome privilege escalation in XPCVariant::VariantDataToJS()
+ * MFSA 2009-59/CVE-2009-1563 (bmo#516396, bmo#516862)
+ Heap buffer overflow in string to number conversion
+ * MFSA 2009-61/CVE-2009-3375 (bmo#503226)
+ Cross-origin data theft through document.getSelection()
+ * MFSA 2009-62/CVE-2009-3376 (bmo#511521)
+ Download filename spoofing with RTL override
+ * MFSA 2009-63/CVE-2009-3377/CVE-2009-3379/CVE-2009-3378
+ Upgrade media libraries to fix memory safety bugs
+ * MFSA 2009-64/CVE-2009-3380/CVE-2009-3381/CVE-2009-3383
+ Crashes with evidence of memory corruption
+- removed upstreamed patch
+ * firefox-bug506901.patch
+
+-------------------------------------------------------------------
+Wed Oct 7 20:11:24 CEST 2009 - llunak@novell.com
+
+- fix KDE button order in one more place (bnc#170055)
+
+-------------------------------------------------------------------
+Fri Oct 2 20:26:49 CEST 2009 - wr@rosenauer.org
+
+- improve UI colors to be usable with dark themes at all
+ (firefox-browser-css.patch) (bnc#503351)
+- extend list of supported architectures as ABI identifier
+ (mozilla-abi.patch) (bnc#543460)
+
+-------------------------------------------------------------------
+Mon Sep 14 00:07:55 CEST 2009 - wr@rosenauer.org
+
+- added KDE integration patch from llunak@novell.com
+ (firefox-kde.patch)
+ * support for knotify, making -kde4-addon obsolete
+ * KDE-specific support functional (bnc#170055)
+- do not build libnkgnomevfs (bmo#512671) (firefox-no-gnomevfs)
+
+-------------------------------------------------------------------
+Thu Sep 10 09:34:26 CEST 2009 - wr@rosenauer.org
+
+- security update to version 3.5.3 (bnc#534458)
+ * MFSA 2009-47/CVE-2009-3069/CVE-2009-3070/CVE-2009-3071/
+ CVE-2009-3072/CVE-2009-3073/CVE-2009-3074/CVE-2009-3075
+ Crashes with evidence of memory corruption
+ * MFSA 2009-49/CVE-2009-3077 (bmo#506871)
+ TreeColumns dangling pointer vulnerability
+ * MFSA 2009-50/CVE-2009-3078 (bmo#453827)
+ Location bar spoofing via tall line-height Unicode characters
+ * MFSA 2009-51/CVE-2009-3079 (bmo#454363)
+ Chrome privilege escalation with FeedWriter
+
+-------------------------------------------------------------------
+Wed Aug 19 22:14:07 CEST 2009 - wr@rosenauer.org
+
+- renamed patch firefox-contextmenu-gnome to firefox-cross-desktop
+ as it contains more tweaks to handle non-Gnome environments and
+ especially KDE integration:
+ * added the ability to set the KDE default browser
+ (still part of bnc#170055)
+
+-------------------------------------------------------------------
+Sat Aug 8 00:14:18 CEST 2009 - wr@rosenauer.org
+
+- split -translations package into -common and -other
+ (bnc#529180)
+- remove "set as background" from context menu if not running in
+ Gnome (part of bnc#170055)
+
+-------------------------------------------------------------------
+Fri Jul 31 09:01:57 CEST 2009 - wr@rosenauer.org
+
+- security update to version 3.5.2
+ * MFSA 2009-38/CVE-2009-2470 (bmo#459524)
+ Data corruption with SOCKS5 reply containing DNS name longer
+ than 15 characters
+ * MFSA 2009-44/CVE-2009-2654 (bmo#451898)
+ Location bar and SSL indicator spoofing via window.open() on
+ invalid URL
+ * MFSA 2009-45
+ Crashes with evidence of memory corruption
+ * MFSA 2009-46 (bmo#498897)
+ Chrome privilege escalation due to incorrectly cached wrapper
+ * various other stability fixes
+- export MOZ_APP_LAUNCHER in the startscript (bmo#453689)
+
+-------------------------------------------------------------------
+Tue Jul 28 14:54:46 CEST 2009 - wr@rosenauer.org
+
+- fixed %exclude usage
+- fixed preferences' advanced pane for fresh profiles (bmo#506901)
+
+-------------------------------------------------------------------
+Wed Jul 15 20:13:19 CEST 2009 - wr@rosenauer.org
+
+- security update to version 3.5.1
+ * MFSA 2009-41
+ Corrupt JIT state after deep return from native function
+
+-------------------------------------------------------------------
+Mon Jul 6 12:33:47 CEST 2009 - wr@rosenauer.org
+
+- added mozilla-linkorder.patch to fix build with --as-needed
+
+-------------------------------------------------------------------
+Tue Jun 30 08:52:00 CEST 2009 - wr@rosenauer.org
+
+- update to final version 3.5 (20090623)
+
+-------------------------------------------------------------------
+Tue Jun 23 09:39:50 CEST 2009 - wr@rosenauer.org
+
+- fixed build by linking to a real file
+
+-------------------------------------------------------------------
+Thu Jun 18 10:19:40 CEST 2009 - wr@rosenauer.org
+
+- update to version 3.5rc2 (20090617)
+- BuildRequire mozilla-xulrunner191 = 1.9.1.0
+
+-------------------------------------------------------------------
+Sat Jun 6 15:59:02 CEST 2009 - wr@rosenauer.org
+
+- update to version 3.5b99 (20090604)
+- BuildRequire mozilla-xulrunner191 = 1.9.1b99
+
+-------------------------------------------------------------------
+Wed May 27 08:03:16 CEST 2009 - wr@rosenauer.org
+
+- fixed typos in improved xulrunner dependencies
+
+-------------------------------------------------------------------
+Mon May 11 18:25:12 CEST 2009 - wr@rosenauer.org
+
+- use non-localized Downloads folder (bnc#501724)
+
+-------------------------------------------------------------------
+Mon May 4 07:57:50 CEST 2009 - wr@rosenauer.org
+
+- update to new major version 3.5b4
+ * based on Gecko 1.9.1 (mozilla-xulrunner191)
+ * Private Browsing Mode
+ * TraceMonkey JavaScript engine
+ * Geolocation support
+ * native JSON and web worker threads support
+ * speculative parsing for faster content rendering
+ * Some HTML5 support
+- updated firefox.schemas
+- improved firefox-no-update.patch
+
+-------------------------------------------------------------------
+Tue Apr 28 10:47:54 CEST 2009 - wr@rosenauer.org
+
+- security update to 3.0.10
+ * MFSA 2009-23/CVE-2009-1313 (bmo#489647)
+ Crash in nsTextFrame::ClearTextRun()
+
+-------------------------------------------------------------------
+Thu Apr 16 13:52:21 CEST 2009 - wr@rosenauer.org
+
+- security update to 3.0.9 (bnc#495473)
+ * MFSA 2009-14/CVE-2009-1302/CVE-2009-1303/CVE-2009-1304/CVE-2009-1305
+ Crashes with evidence of memory corruption (rv:1.9.0.9)
+ * MFSA 2009-15/CVE-2009-0652 (bmo#479336)
+ URL spoofing with box drawing character
+ * MFSA 2009-16/CVE-2009-1306 (bmo#474536)
+ jar: scheme ignores the content-disposition: header on the
+ inner URI
+ * MFSA 2009-17/CVE-2009-1307 (bmo#481342)
+ Same-origin violations when Adobe Flash loaded via
+ view-source: scheme
+ * MFSA 2009-18/CVE-2009-1308 (bmo#481558)
+ XSS hazard using third-party stylesheets and XBL bindings
+ * MFSA 2009-19/CVE-2009-1309 (bmo#482206,478433)
+ Same-origin violations in XMLHttpRequest and
+ XPCNativeWrapper.toString
+ * MFSA 2009-20/CVE-2009-1310 (bmo#483086)
+ Malicious search plugins can inject code into arbitrary sites
+ * MFSA 2009-21/CVE-2009-1311 (bmo#471962)
+ POST data sent to wrong site when saving web page with
+ embedded frame
+ * MFSA 2009-22/CVE-2009-1312 (bmo#475636)
+ Firefox allows Refresh header to redirect to javascript: URIs
+
+-------------------------------------------------------------------
+Fri Mar 27 09:43:43 CET 2009 - wr@rosenauer.org
+
+- security update to 1.9.0.8 (bnc#488955,489411)
+ * MFSA 2009-12/CVE-2009-1169 (bmo#460090,485217)
+ Crash and remote code execution in XSL transformation
+ * MFSA 2009-13/CVE-2009-1044 (bmo#484320)
+ Arbitrary code execution via XUL tree moveToEdgeShift
+- allow RPM provides for stuff besides shared libraries
+ (e.g. mime-types)
+
+-------------------------------------------------------------------
+Sun Mar 1 11:08:58 CET 2009 - wr@rosenauer.org
+
+- security update to 3.0.7 (bnc#478625)
+ * MFSA 2009-07 - Crashes with evidence of memory corruption
+ CVE-2009-0771 - Layout Engine Crashes
+ CVE-2009-0772 - Layout Engine Crashes
+ CVE-2009-0773 - crashes in the JavaScript engine
+ CVE-2009-0774 - Layout Engine Crashes
+ * MFSA 2009-08/CVE-2009-0775 - (bmo#474456)
+ Mozilla Firefox XUL Linked Clones Double Free Vulnerability
+ * MFSA 2009-09/CVE-2009-0776 (bmo#414540)
+ XML data theft via RDFXMLDataSource and cross-domain redirect
+ * MFSA 2009-10/CVE-2009-0040 (bmo#478901)
+ Upgrade PNG library to fix memory safety hazards
+ * MFSA 2009-11/CVE-2009-0777 (bmo#452979)
+ URL spoofing with invisible control characters
+
+-------------------------------------------------------------------
+Wed Feb 4 18:58:59 EST 2009 - hfiguiere@suse.de
+
+- Review and approve changes.
+
+-------------------------------------------------------------------
+Wed Jan 28 13:48:00 CET 2009 - wr@rosenauer.org
+
+- security update to 3.0.6 (bnc#470074)
+ * MFSA 2009-06/CVE-2009-0358: Directives to not cache pages ignored
+ (bmo#441751)
+ * MFSA 2009-05/CVE-2009-0357: XMLHttpRequest allows reading
+ HTTPOnly cookies (bmo#380418)
+ * MFSA 2009-04/CVE-2009-0356: Chrome privilege escalation via
+ local .desktop files (bmo#460425)
+ * MFSA 2009-03/CVE-2009-0355: Local file stealing with SessionStore
+ (bmo#466937)
+ * MFSA 2009-02/CVE-2009-0354: XSS using a chrome XBL method
+ and window.eval (bmo#468581)
+ * MFSA 2009-01/CVE-2009-0352 - CVE-2009-0353: Crashes with
+ evidence of memory corruption (rv:1.9.0.6) (bmo#452913,
+ bmo#449006, bmo#331088, bmo#401042, bmo#416461, bmo#422283,
+ bmo#422301, bmo#431705, bmo#437142, bmo#421839, bmo#420697,
+ bmo#461027)
+ * (non security) added lv locale
+
+-------------------------------------------------------------------
+Thu Jan 22 11:09:42 EST 2009 - hfiguiere@suse.de
+
+- Fix the wrapper script for PowerPC 64-bits (bnc#464753)
+
+-------------------------------------------------------------------
+Wed Dec 17 13:13:25 EST 2008 - hfiguiere@suse.de
+
+- Review and approve changes.
+
+-------------------------------------------------------------------
+Mon Dec 15 16:41:57 CET 2008 - wr@rosenauer.org
+
+- security update to 1.9.0.5 (bnc#455804)
+ for details
+ http://www.mozilla.org/security/known-vulnerabilities/firefox30.html
+ * removed aboutRights workaround again
+ * added et locale
+
+-------------------------------------------------------------------
+Tue Nov 25 10:14:45 EST 2008 - hfiguiere@suse.de
+
+- Review and approve changes.
+
+-------------------------------------------------------------------
+Sat Nov 22 13:26:03 CET 2008 - wr@rosenauer.org
+
+- replace license agreement with about:rights toolbar
+ (backported from upcoming FF 3.0.5) (bnc#436054, bmo#456439)
+ (it's always displayed in en-US)
+
+-------------------------------------------------------------------
+Fri Nov 21 03:11:41 EST 2008 - hfiguiere@suse.de
+
+- Update firefox-lockdown-ui.patch
+ * Print Setup is now properly locked down. bnc#431028
+ * Bookmark editing it now properly locked down. bnc#439335
+ * Bookmars are properly hidden.
+ * History is properly locked down. bnc#439343
+ * Make sure the search bar is not put back when resetting the
+ toolbar. bnc#439358
+
+-------------------------------------------------------------------
+Thu Nov 20 18:49:19 CST 2008 - maw@suse.de
+
+- Review and approve changes.
+
+-------------------------------------------------------------------
+Thu Nov 13 08:22:13 CET 2008 - wr@rosenauer.org
+
+- lockdown cleanup
+ * removed gecko-lockdown.patch from Firefox (it's in xulrunner)
+ * stripped out some toolkit stuff from firefox-ui-lockdown
+ * added extra default preferences for lockdown
+
+-------------------------------------------------------------------
+Wed Nov 12 17:55:19 CST 2008 - maw@suse.de
+
+- Review and approve changes.
+
+-------------------------------------------------------------------
+Tue Nov 11 09:15:59 CET 2008 - wr@rosenauer.org
+
+- update to security/maintenance release 3.0.4 (bnc#439841)
+ * support additional locales (bg, cy, eo, oc)
+- removed obsolete configure option (enable-gconf)
+
+-------------------------------------------------------------------
+Fri Nov 7 15:39:54 CST 2008 - maw@suse.de
+
+- Review and approve changes.
+
+-------------------------------------------------------------------
+Tue Nov 4 23:27:03 CET 2008 - wr@rosenauer.org
+
+- moved gconf schema into branding packages (bnc#441646)
+
+-------------------------------------------------------------------
+Tue Oct 28 16:16:14 EDT 2008 - hfiguiere@suse.de
+
+- Fix missing %endif (for fix for bnc#434283)
+
+-------------------------------------------------------------------
+Mon Oct 27 17:05:02 EDT 2008 - hfiguiere@suse.de
+
+- Add disable_show_passwords to firefox.schemas. (FATE #301534)
+
+-------------------------------------------------------------------
+Mon Oct 27 11:57:29 CET 2008 - wr@rosenauer.org
+
+- make biarch dependencies work correctly (bnc#434283)
+
+-------------------------------------------------------------------
+Thu Oct 23 10:14:22 EDT 2008 - hfiguiere@suse.de
+
+- Added firefox-ui-lockdown.patch and gecko-lockdown.patch
+ * Lockdown: FATE#302023, FATE#302024
+
+-------------------------------------------------------------------
+Mon Oct 6 14:55:48 CEST 2008 - sbrabec@suse.cz
+
+- Conflict with other branding providers (FATE#304881).
+
+-------------------------------------------------------------------
+Mon Sep 29 12:27:43 CDT 2008 - maw@suse.de
+
+- Review and approve changes.
+
+-------------------------------------------------------------------
+Mon Sep 29 11:36:30 CDT 2008 - maw@suse.de
+
+- Remove a reference to a stale patch.
+
+-------------------------------------------------------------------
+Sun Sep 28 18:19:26 CEST 2008 - wr@rosenauer.org
+
+- update to regression fix release 3.0.3
+ * Fixed a problem where users were unable to retrieve saved
+ passwords or save new passwords (bmo#454708, bnc#429179#c20,
+ CVE-2008-4063, CVE-2008-4064, CVE-2008-3836, andCVE-2008-4070)
+
+-------------------------------------------------------------------
+Thu Sep 25 14:47:13 CDT 2008 - maw@suse.de
+
+- Review and approve changes.
+
+-------------------------------------------------------------------
+Mon Sep 15 13:45:16 CEST 2008 - wr@rosenauer.org
+
+- update to security/maintenance release 3.0.2 (bnc#429179)
+- removed unused files from sources
+- fix more rpmlint complaints and provide a config file to filter
+ false positives
+- disable Gnome crashreporter as it has no value
+- brought man-page up to date for the firefox stub
+ (removing firefox-bin reference)
+- en-US locale not longer packaged in translations subpackage
+
+-------------------------------------------------------------------
+Fri Aug 15 18:56:26 CDT 2008 - maw@novell.com
+
+- Review and approve changes.
+
+-------------------------------------------------------------------
+Mon Aug 4 09:26:05 CEST 2008 - wr@rosenauer.org
+
+- Tweak branding split
+
+-------------------------------------------------------------------
+Tue Jul 29 15:02:47 CEST 2008 - vuntz@novell.com
+
+- Create branding package (bnc#390752):
+ + search-addons.tar.bz2, bookmarks.html.suse and
+ firefox-suse-default-prefs.js will be moved to
+ MozillaFirefox-branding-openSUSE
+ + create a MozillaFirefox-branding-upstream package
+
+-------------------------------------------------------------------
+Mon Jul 28 20:54:22 CEST 2008 - mauro@suse.de
+
+- Update to stability/security release 3.0.1 (bnc#407573)
+ (thanks, Wolfgang)
+ + MFSA 2008-36 Crash with malformed GIF file on Mac OS X
+ + MFSA 2008-35 Command-line URLs launch multiple tabs when
+ Firefox not running
+ + MFSA 2008-34 Remote code execution by overflowing CSS reference counter
+- Set browser.shell.checkDefaultBrowser to true (bnc#404119)
+
+-------------------------------------------------------------------
+Tue Jun 17 18:49:33 CEST 2008 - maw@suse.de
+
+- Merge changes from the build service (thanks, Wolfgang)
+ (bnc#400001 and SWAMP#18164).
+
+-------------------------------------------------------------------
+Tue Jun 17 14:40:04 CEST 2008 - wr@rosenauer.org
+
+- update to version 3.0
+- fixed double entry in bookmarks for www.opensuse.org (bnc#396980
+
+-------------------------------------------------------------------
+Thu May 15 13:45:51 CEST 2008 - aj@suse.de
+
+- Add Planet SUSE, forums.o.o and How to participate to default
+ URLs.
+
+-------------------------------------------------------------------
+Fri May 2 16:25:24 CEST 2008 - maw@suse.de
+
+- network.protocol-handler.app.* prefs are no longer supported;
+ remove references to them from firefox-suse-default-prefs.js
+ (bnc#383697).
+
+-------------------------------------------------------------------
+Thu Apr 3 01:42:34 CEST 2008 - maw@suse.de
+
+- Update to Firefox 3.0b5 (2.9.95) (thanks, Wolfgang).
+
+-------------------------------------------------------------------
+Wed Mar 26 01:05:18 CET 2008 - maw@suse.de
+
+- Merge changes from the build service (thanks, Wolfgang)
+- Update to the fourth Firefox 3.0 Beta (2.9.94):
+ + Based upon the Gecko 1.9 Web rendering platform, which improves
+ performance, stability, and rendering correctness; it also
+ boasts a considerable simplification in its code
+ + Security improvements:
+ * One-click site info
+ * Malware Protection
+ * New Web Forgery Protection page
+ * New SSL error pages
+ * Add-ons and Plugin version check
+ * Secure add-on updates
+ * Effective top-level domain (eTLD) service to better restrict
+ cookies and other restricted content to a single domain
+ * Better protection against cross-site JSON data leaks
+ + Usability improvements:
+ * Easier password management
+ * Simplified add-on installation
+ * New Download Manager
+ * Resumable downloading
+ * Full page zoom
+ * Podcasts and Videocasts can be associated with your media
+ playback tools
+ * Tab scrolling and quickmenu
+ * Save what you were doing: Firefox will prompt users to save
+ tabs on exit
+ * Optimized Open in Tabs behavior
+ * Location and Search bar size can now be customized with a
+ simple resizer item
+ * Text selection improvements
+ * Find toolbar
+ * Improved integration with Linux: Firefox's default icons,
+ buttons, and menu styles now use the native GTK theme
+ + Personalization improvements:
+ * Star button: quickly add bookmarks from the location bar
+ with a single click; a second click lets you file and tag them
+ * Tags: associate keywords with your bookmarks to sort them
+ by topic
+ * Location bar & auto-complete
+ * Smart Bookmarks Folder
+ * Places Organizer: view, organize and search through all
+ of your bookmarks, tags, and browsing history with multiple
+ views and smart folders to store your frequent searches
+ * Web-based protocol handlers
+ * Download & Install Add-ons
+ * Easy to use Download Actions
+ + Improved platform for web developers:
+ * New graphics and font handling: new graphics and text
+ rendering architectures in Gecko 1.9 provides rendering
+ improvements in CSS, SVG as well as improved display of
+ fonts with ligatures and complex scripts
+ * Color management: (set gfx.color_management.enabled on
+ in about:config and restart the browser to enable.);
+ Firefox can now adjust images with embedded color profiles
+ * Offline support: enables web applications to provide
+ offline functionality (website authors must add support
+ for offline browsing to their site for this feature
+ to be available to users)
+ + Improved performance:
+ * Speed: improvements to the JavaScript engine as well as
+ profile guided optimizations have resulted in significant
+ improvements in performance; compared to Firefox 2,
+ web applications like Google Mail and Zoho Office run
+ twice as fast in Firefox 3 Beta 4, and the popular
+ SunSpider test from Apple shows improvements over
+ previous releases
+ * Memory usage: Several new technologies work together to
+ reduce the amount of memory used by Firefox 3 Beta 4
+ over a web browsing session; memory cycles are broken
+ and collected by an automated cycle collector, a new
+ memory allocator reduces fragmentation, hundreds of leaks
+ have been fixed, and caching strategies have been tuned
+ * Reliability: A user's bookmarks, history, cookies, and
+ preferences are now stored in a transactionally secure
+ database format which will prevent data loss even if their
+ system crashes
+- This version depends upon the mozilla-xulrunner190 package
+- Drop various stale packages, respin several that have been
+ kept around, and add a few new ones.
+
+-------------------------------------------------------------------
+Mon Feb 11 18:18:14 CET 2008 - maw@suse.de
+
+- Security update to version 2.0.0.12 (bnc#354469):
+ + MFSA 2008-11/CVE-2008-0594 Web forgery overwrite with div
+ overlay
+ + MFSA 2008-10/CVE-2008-0593 URL token stealing via stylesheet
+ redirect
+ + MFSA 2008-09/CVE-2008-0592 Mishandling of locally-saved plain
+ text files
+ + MFSA 2008-08/CVE-2008-0591 File action dialog tampering
+ + MFSA 2008-06/CVE-2008-0419 Web browsing history and forward
+ navigation stealing
+ + MFSA 2008-05/CVE-2008-0418 Directory traversal via chrome: URI
+ + MFSA 2008-04/CVE-2008-0417 Stored password corruption
+ + MFSA 2008-03/CVE-2008-0415 Privilege escalation, XSS, Remote
+ Code Execution
+ + MFSA 2008-02/CVE-2008-0414 Multiple file input focus stealing
+ vulnerabilities
+ + MFSA 2008-01/CVE-2008-0412 Crashes with evidence of memory
+ corruption (rv:1.8.1.12)
+- Reference libaoss.so in start script (bnc#117079)
+- Remove mozilla-canvas-1.8.1.10.patch, as it has been upstreamed
+- Update firefox-ui-lockdown.patch (FATE#301534, FATE#302023, and
+ FATE#302024)
+- Add application/x-xpinstall mime type to MozillaFirefox.desktop
+- Add MozillaFirefox.xml to bind .xpi to application/x-xpinstall
+ in desktop.
+
+-------------------------------------------------------------------
+Thu Jan 17 17:52:47 CET 2008 - maw@suse.de
+
+- Add mozilla-maxpathlen.patch (#354150 and bmo #412610).
+
+-------------------------------------------------------------------
+Fri Dec 21 18:46:50 CET 2007 - maw@suse.de
+
+- Add firefox-348446-empty-lists.patch (bnc#348446).
+
+-------------------------------------------------------------------
+Wed Dec 5 02:21:26 CET 2007 - maw@suse.de
+
+- Respin proxy-dev.patch (bnc#340678) -- thanks, Anders!
+
+-------------------------------------------------------------------
+Tue Nov 27 18:25:25 CET 2007 - maw@suse.de
+
+- Security update to version 2.0.0.10 (#341905, #341591):
+ + MFSA 2007-39 Referer-spoofing via window.location race condition
+ + MFSA 2007-38 Memory corruption vulnerabilities (rv:1.8.1.10)
+ + MFSA 2007-37 jar: URI scheme XSS hazard
+ + Fixes for regressions introduced in 2.0.0.8
+ + Updated dbus.patch, startup.patch, misc.dif, and configure.patch
+- Add mozilla-gcc4.3-fixes.patch
+- Add mozilla-canvas-1.8.1.10.patch (#341591#c10).
+
+-------------------------------------------------------------------
+Mon Nov 26 18:27:25 CET 2007 - maw@suse.de
+
+- Build with -ftree-vrp -fwrapv, per advice in #342603#c17.
+
+-------------------------------------------------------------------
+Tue Nov 13 17:49:01 CET 2007 - maw@suse.de
+
+- Add firefox-gcc4.3-fixes.patch.
+
+-------------------------------------------------------------------
+Fri Oct 19 02:04:45 CEST 2007 - maw@suse.de
+
+- Security update to version 2.0.0.8 (#332512) (thanks, Wolfgang)
+ * MFSA 2007-29 Crashes with evidence of memory corruption
+ * MFSA 2007-30 onUnload Tailgating
+ * MFSA 2007-31 Digest authentication request splitting
+ * MFSA 2007-32 File input focus stealing vulnerability
+ * MFSA 2007-33 XUL pages can hide the window titlebar
+ * MFSA 2007-34 Possible file stealing through sftp protocol
+ * MFSA 2007-35 XPCNativeWraper pollution using Script object
+ complete advisories on
+ http://www.mozilla.org/projects/security/known-vulnerabilities.html
+
+-------------------------------------------------------------------
+Sun Sep 23 19:49:12 CEST 2007 - maw@suse.de
+
+- Don't explicitly require libaoss.so (#326751).
+
+-------------------------------------------------------------------
+Fri Sep 14 23:13:06 CEST 2007 - maw@suse.de
+
+- Update the Novell Support search plugin in search-addons.tar.bz2
+ (#297261)
+- Set the browser.tabs.loadFolderAndReplace preference to false
+ by default (#230759).
+
+-------------------------------------------------------------------
+Wed Sep 12 15:21:06 CEST 2007 - dmueller@suse.de
+
+- fix hardlinks accross partitions
+
+-------------------------------------------------------------------
+Thu Sep 6 16:07:12 CEST 2007 - maw@suse.de
+
+- Add http://software.opensuse.org/search?baseproject=openSUSE:10.3
+ to the default bookmarks (#308223).
+
+-------------------------------------------------------------------
+Mon Sep 3 22:33:09 CEST 2007 - ro@suse.de
+
+- move last change a bit further in specfile
+
+-------------------------------------------------------------------
+Fri Aug 31 18:36:16 CEST 2007 - maw@suse.de
+
+- Mark a .png file as nonexecutable.
+
+-------------------------------------------------------------------
+Tue Aug 28 16:44:08 CEST 2007 - maw@suse.de
+
+- Minor .spec update (#305193)
+ + Remove two obsolete patches
+ + Correct releasedate
+ + Include only the officially supported locales.
+
+-------------------------------------------------------------------
+Wed Aug 22 17:53:03 CEST 2007 - maw@suse.de
+
+- Merge changes from the build service (thanks, Wolfgang):
+ + Provide locale dependency information (#302288)
+ + Add x11-session.patch, supporting X11 session management
+ (#227047)
+ + Update to version 2.0.0.6
+ * MFSA 2007-26 Privilege escalation through chrome-loaded
+ about:blank windows
+ * MFSA 2007-27 Unescaped URIs passed to external programs
+ (only relevant on Windows)
+- Use %fdupes.
+
+-------------------------------------------------------------------
+Tue Aug 21 09:45:35 CEST 2007 - aj@suse.de
+
+- Adjust bookmarks: Add news.opensuse.org, use new software.o.o
+ page.
+
+-------------------------------------------------------------------
+Thu Aug 16 14:57:27 CEST 2007 - mauro@suse.de
+
+- Revert previous change.
+
+-------------------------------------------------------------------
+Tue Aug 14 11:58:23 CEST 2007 - mauro@suse.de
+
+- Added support for ymp in the mimetypes.rdf
+- Added OneClickInstallUrlHandler for handing the actual call from firefox.
+- Fixes bnc #295677
+
+-------------------------------------------------------------------
+Mon Jul 23 18:57:07 CEST 2007 - maw@suse.de
+
+- Security update to version 2.0.0.5 (#288115) which has fixes for:
+MFSA 2007-18
+ CVE-2007-3734 - Browser flaws
+ CVE-2007-3735 - Javascript flaws
+
+MFSA 2007-19
+ CVE-2007-3736
+
+MFSA 2007-20
+ CVE-2007-3089
+
+MFSA 2007-21
+ CVE-2007-3737
+
+MFSA 2007-22
+ CVE-2007-3285
+
+MFSA 2007-23
+ CVE-2007-3670
+
+MFSA 2007-24
+ CVE-2007-3656
+
+MFSA 2007-25
+ CVE-2007-3738
+
+-------------------------------------------------------------------
+Thu Jun 21 15:59:01 CEST 2007 - adrian@suse.de
+
+- fix changelog entry order
+
+-------------------------------------------------------------------
+Mon Jun 18 13:22:42 CDT 2007 - maw@suse.de
+
+- Use mozilla.sh.in from the build service (#230681).
+
+-------------------------------------------------------------------
+Tue Jun 5 15:55:08 CEST 2007 - sbrabec@suse.cz
+
+- Removed invalid desktop category "Application" (#254654).
+
+-------------------------------------------------------------------
+Mon Jun 4 19:53:35 CDT 2007 - maw@suse.de
+
+- Security update to version 2.0.0.4
+- Refresh configure.patch, startup.patch, and visibility.patch
+- Now use l10n-%{version}.tar.bz2 instead of l10n.tar.bz2.
+
+-------------------------------------------------------------------
+Mon Apr 30 16:49:55 CEST 2007 - ro@suse.de
+
+- added unzip to BuildRequires
+
+-------------------------------------------------------------------
+Wed Apr 18 14:16:44 CEST 2007 - mfabian@suse.de
+
+- add Japanese to the languages which get PANGO enabled in the
+ start script to support the Japanese combining characters
+ U+3099 U+309A (see bugzilla #262718 comment #29).
+
+-------------------------------------------------------------------
+Mon Mar 12 11:06:10 CST 2007 - maw@suse.de
+
+- Package gconf stuff.
+
+-------------------------------------------------------------------
+Wed Feb 21 16:37:25 CST 2007 - maw@suse.de
+
+- Security update to 2.0.0.2 (#244923), which covers:
+ + mfsa2007-01
+ * CVE-2007-0775 - layout engine crashes
+ * CVE-2007-0776 - SVG
+ * CVE-2007-0777 - javascript engine corruption
+ + mfsa2007-02
+ * CVE-2007-0995 - Invalid trailing characters in HTML tag attributes
+ * CVE-2007-0996 - Child frame character set inheritance
+ * CVE-2006-6077 - Injected password forms
+ + mfsa2007-02
+ + mfsa2007-03
+ * CVE-2007-0078
+ + mfsa2007-04
+ * CVE-2007-0079
+ + mfsa2007-05
+ * CVE-2007-0780
+ * CVE-2007-0800
+ + mfsa2007-06
+ * CVE-2007-0008 - client flaw
+ * CVE-2007-0009 - server flaw
+ + mfsa2007-07
+ * CVE-2007-0981
+- Updates mozilla.sh.in (#230681)
+- Fixes #232209
+- Updates the man page (#243037)
+- Properly propagates exit codes (#241492)
+- Adds em-356370.patch (#217374)
+
+-------------------------------------------------------------------
+Thu Jan 25 10:16:56 CST 2007 - maw@suse.de
+
+- Fixup the Gnome paths, keeping in closer sync with the
+ buildservice.
+
+-------------------------------------------------------------------
+Thu Jan 18 09:27:54 CST 2007 - maw@suse.de
+
+- Gnome is now in /usr, so remove references to /opt/gnome
+- Install firefox.png with the executable bit not set.
+
+-------------------------------------------------------------------
+Wed Jan 10 12:57:39 CET 2007 - meissner@suse.de
+
+- readd MozillaFirebird provides (was incorrect in removing it).
+
+-------------------------------------------------------------------
+Mon Jan 8 11:16:08 CET 2007 - meissner@suse.de
+
+- Do not provide MozillaFirebird, just obsolete it.
+
+-------------------------------------------------------------------
+Fri Dec 1 02:22:49 CET 2006 - maw@suse.de
+
+- Update gecko-lockdown.patch (#220616).
+
+-------------------------------------------------------------------
+Thu Nov 30 19:02:54 CET 2006 - maw@suse.de
+
+- Update firefox-suse-default-prefs.js, adding
+ 'pref("browser.backspace_action", 2);' (#217374)
+
+-------------------------------------------------------------------
+Thu Nov 30 08:17:28 CET 2006 - aj@suse.de
+
+- Fix last change (#224431).
+
+-------------------------------------------------------------------
+Wed Nov 29 11:45:47 CET 2006 - aj@suse.de
+
+- Change download bookmark (#224431).
+- Rename bookmark folder to openSUSE.
+
+-------------------------------------------------------------------
+Tue Nov 28 08:09:48 CET 2006 - aj@suse.de
+
+- Sync from Buildservice with following critical fixes (thanks
+ Wolfgang Rosenauer!):
+ * fixed system-proxies.patch to actually work (#223881).
+ * Rearrange Bookmarks to pass trademark review.
+
+-------------------------------------------------------------------
+Mon Nov 27 19:40:44 CET 2006 - aj@suse.de
+
+- Fix tango theme (#223796).
+
+-------------------------------------------------------------------
+Mon Nov 27 17:40:50 CET 2006 - aj@suse.de
+
+- Use www.opensuse.org as home page.
+
+-------------------------------------------------------------------
+Sun Nov 12 11:28:00 CET 2006 - aj@suse.de
+
+- Set novell.com as home page.
+- Update from BuildService (thanks Wolfgang!):
+ - fixed crash in htmlparser (#217257, bmo #358797)
+ - added gconf2 as PreReq (#212505)
+ - added 32bit libaoss.so as requirement (#216266)
+ - Removed SUSE searchplugin (Portal not available anymore)
+ (#216054)
+ - Removed obsolete xul-picker.patch and system-nspr.patch
+ - Fixed building on 10.1 and 10.0 (dbus)
+ - Removed obsolete throbber preference
+
+-------------------------------------------------------------------
+Thu Nov 9 19:09:46 CET 2006 - jhargadon@suse.de
+
+- updated tango theme
+
+-------------------------------------------------------------------
+Sun Oct 29 12:05:46 CET 2006 - aj@suse.de
+
+- Another fix for 214125, patch by Wolfgang Rosenauer.
+
+-------------------------------------------------------------------
+Thu Oct 26 06:58:59 CEST 2006 - aj@suse.de
+
+- Fix gcc warnings about undefined operations, patch by
+ Robert O'Callahan.
+- Update system-proxies.patch to fix error box (214125), patch by
+ Robert O'Callahan.
+
+-------------------------------------------------------------------
+Mon Oct 23 21:54:54 CEST 2006 - aj@suse.de
+
+- Update to current CVS version of 2.0.
+- Use www.opensuse.org as default home page for now (#203547).
+
+-------------------------------------------------------------------
+Sat Oct 21 08:53:50 CEST 2006 - aj@suse.de
+
+- Disable non-working plasticfox and tango themes.
+
+-------------------------------------------------------------------
+Fri Oct 20 20:16:29 CEST 2006 - aj@suse.de
+
+- Fix building of locales.
+
+-------------------------------------------------------------------
+Fri Oct 20 11:27:23 CEST 2006 - mkoenig@suse.de
+
+- update to version 2.0rc3:
+ * New features: Visual Refresh, Built-in phishing protection,
+ Enhanced search capabilities, Improved tabbed browsing,
+ Resuming your browsing session, Previewing and subscribing
+ to Web feeds, Inline spell checking, Live Titles,
+ Improved Add-ons manager, JavaScript 1.7, Extended search
+ plugin format, Updates to the extension system,
+ Client-side session and persistent storage, SVG text
+
+-------------------------------------------------------------------
+Tue Oct 17 11:26:44 CEST 2006 - meissner@suse.de
+
+- disabled debugging.
+
+-------------------------------------------------------------------
+Tue Sep 12 20:27:02 CEST 2006 - stark@suse.de
+
+- security update to version 1.5.0.7
+
+-------------------------------------------------------------------
+Mon Aug 21 12:53:50 CEST 2006 - stark@suse.de
+
+- added greasemonkey helper change (#199920)
+- fixed packager.mk for new make version
+
+-------------------------------------------------------------------
+Fri Aug 11 20:51:48 CEST 2006 - stark@suse.de
+
+- fixed crash in dbus component (patch by thoenig #197928)
+- use external adresses for PAC configuration (#196506)
+
+-------------------------------------------------------------------
+Mon Aug 7 09:26:58 CEST 2006 - stark@suse.de
+
+- added symlink for Firefox 1.0.x compatibility
+
+-------------------------------------------------------------------
+Sat Jul 29 08:48:53 CEST 2006 - stark@suse.de
+
+- update to regression release 1.5.0.6 (#195043)
+
+-------------------------------------------------------------------
+Thu Jul 27 06:20:36 CEST 2006 - stark@suse.de
+
+- security update to version 1.5.0.5 (#195043)
+ * observer-lock.patch integrated now
+- fixed leak in JS' liveconnect (#186066)
+- fixed desktop file for old distributions
+ (StartupNotify=false)
+
+-------------------------------------------------------------------
+Thu Jun 29 20:13:28 CEST 2006 - stark@suse.de
+
+- fixed printing crash if the last used printer is not available
+ anymore (#187013)
+
+-------------------------------------------------------------------
+Fri Jun 16 22:11:22 CEST 2006 - stark@suse.de
+
+- added 48x48 icon (#185777)
+
+-------------------------------------------------------------------
+Mon Jun 12 20:20:02 CEST 2006 - stark@suse.de
+
+- fix overwrite confirmation for GTK filesaver (#179531)
+- get network.negotiate-auth.trusted-uris and
+ network.negotiate-auth.delegation-uris from gconf if
+ system-settings are enabled (#184489)
+
+-------------------------------------------------------------------
+Thu Jun 1 20:34:43 CEST 2006 - stark@suse.de
+
+- update to security/stability release 1.5.0.4 (#179011)
+- moved locale-global prefs to browserconfig.properties (#177881)
+
+-------------------------------------------------------------------
+Tue May 23 21:11:11 CEST 2006 - stark@suse.de
+
+- complete implementation of startup-notification (#115417)
+ (including autoconf and remote support)
+- different home-pages for SLE10 and SL (#177881)
+
+-------------------------------------------------------------------
+Tue May 16 06:27:26 CEST 2006 - stark@suse.de
+
+- fixed potential deadlock in nsObserverList::RemoveObserver
+ (#173986, bmo #338069)
+- base startup notification on libstartup-notification (#115417)
+
+-------------------------------------------------------------------
+Thu May 11 09:39:27 CEST 2006 - stark@suse.de
+
+- save printer settings properly (#174082, bmo #324072)
+- added startup notification support for showing load activity
+ in Gnome and to avoid focus stealing prevention (#115417)
+- added StartupNotify=true to desktop file (#115417)
+- provide legacy symlink for NLD9 update compatibility (#173138)
+- fixed system-proxies patch to avoid unwanted wpad requests
+ (#171743, #167613)
+
+-------------------------------------------------------------------
+Mon May 8 14:55:52 CEST 2006 - stark@suse.de
+
+- preconfigure the theme according to the used desktop (#151163)
+
+-------------------------------------------------------------------
+Thu Apr 27 10:24:07 CEST 2006 - stark@suse.de
+
+- last minute change for 1.5.0.3
+
+-------------------------------------------------------------------
+Wed Apr 26 14:23:33 CEST 2006 - stark@suse.de
+
+- security update to 1.5.0.3
+- fix for typo in postscript.patch
+
+-------------------------------------------------------------------
+Tue Apr 25 14:14:51 CEST 2006 - stark@suse.de
+
+- fixed iframe crash (#169039, bmo #334515)
+- fixed img tag misuse (#168710, bmo #334341)
+
+-------------------------------------------------------------------
+Mon Apr 24 08:04:16 CEST 2006 - stark@suse.de
+
+- improved postscript output (bmo #334485)
+- changed defaults for printer properties (#6534)
+- overwrite gnome-vfs' file protocol by providing "desktop-launch"
+ (#131501)
+- get available paper sizes from CUPS (#65482)
+- replaced/removed complicated gconfd reload in %post (#167989)
+- fixed memory leak in clipboard caching (bmo #289897)
+
+-------------------------------------------------------------------
+Tue Apr 11 08:35:53 CEST 2006 - stark@suse.de
+
+- added (optional) plastikfox theme (#151163)
+- get some more security related patches (#148876)
+- finally fixed the default proxy configuration by adding a new
+ UI option (#132398)
+
+-------------------------------------------------------------------
+Mon Apr 3 11:41:13 CEST 2006 - stark@suse.de
+
+- fixed keyword fixup patch (#162532)
+
+-------------------------------------------------------------------
+Tue Mar 28 07:17:04 CEST 2006 - stark@suse.de
+
+- don't use keyword fixup for pasted text (#160034, bmo #331522)
+
+-------------------------------------------------------------------
+Mon Mar 20 09:28:58 CET 2006 - stark@suse.de
+
+- added Tango theme
+- fixed reading proxies from gconf (#132398)
+
+-------------------------------------------------------------------
+Sun Mar 12 09:04:05 CET 2006 - stark@suse.de
+
+- tweaked bookmarks (fixed URLs)
+- added Khmer (km-*) to pango locales (#157397)
+
+-------------------------------------------------------------------
+Sat Mar 4 21:08:45 CET 2006 - stark@suse.de
+
+- fixed crash with multipart JPEGs (bmo #328684) (#140416)
+- got latest security fixes from upstream (#148876)
+
+-------------------------------------------------------------------
+Wed Feb 22 13:24:58 CET 2006 - stark@suse.de
+
+- fixed plugin loading when launched from Thunderbird (#151614)
+- merged dbus reconnection patch (#150042)
+- default to autodetect proxy (network.proxy.type=4) (#151811)
+- added GTK category to desktop file
+
+-------------------------------------------------------------------
+Tue Feb 14 06:45:24 CET 2006 - stark@suse.de
+
+- modified lockdown patches (#67281, #67282)
+- applied set of security patches (#148876)
+ bmo bugs: 282105, 307989, 315625, 320459, 323634, 325403, 325947
+
+-------------------------------------------------------------------
+Tue Feb 7 20:09:43 CET 2006 - stark@suse.de
+
+- fixed disabling of Pango (#148788)
+
+-------------------------------------------------------------------
+Thu Feb 2 21:51:30 CET 2006 - stark@suse.de
+
+- define gssapi lib explicitely (#147670)
+- use only official Firefox-Icon
+- changed home-download patch
+
+-------------------------------------------------------------------
+Sun Jan 29 09:54:49 CET 2006 - stark@suse.de
+
+- throbber URL is default again
+- removed firefox-showpass patch
+- removed additional CA certs from builtin NSS
+
+-------------------------------------------------------------------
+Fri Jan 27 17:55:21 CET 2006 - stark@suse.de
+
+- got some l10n changes from 1.8.0 branch
+
+-------------------------------------------------------------------
+Fri Jan 27 08:15:09 CET 2006 - stark@suse.de
+
+- final 1.5.0.1 version
+- make it possible to choose $HOME as download directory
+ (#144894, bmo #300856)
+
+-------------------------------------------------------------------
+Wed Jan 25 21:33:43 CET 2006 - mls@suse.de
+
+- converted neededforbuild to BuildRequires
+
+-------------------------------------------------------------------
+Sun Jan 22 17:06:57 CET 2006 - stark@suse.de
+
+- disable Pango if MOZ_ENABLE_PANGO is not set
+ and no typical language which needs Pango is used (#143428)
+
+-------------------------------------------------------------------
+Wed Jan 18 10:27:30 CET 2006 - stark@suse.de
+
+- fixed DumpStackToFile() for glibc 2.4
+- added default (font) settings
+
+-------------------------------------------------------------------
+Thu Jan 12 10:23:58 CET 2006 - stark@suse.de
+
+- update to 1.5.0.1pre (20060111)
+- updated man-page
+- fixed hovered tab close button
+- only Requires mozilla-nspr instead of PreReq since
+ there is no postinstall registration necessary anymore
+- use system NSS from CODE10 on
+- use -fstack-protector where available
+- changed unixproxy component to work on older distributions
+
+-------------------------------------------------------------------
+Mon Jan 2 13:39:09 CET 2006 - stark@suse.de
+
+- added unixproxy component written by Robert O'Callahan (#132398)
+ (bmo #66057)
+- added official translations
+- preload libaoss for plugin sound (#117079)
+
+-------------------------------------------------------------------
+Wed Dec 28 08:16:03 CET 2005 - stark@suse.de
+
+- get some patches from 1.8.0 branch
+- readded modification to gconf-backend (bmo #321315)
+- readded lockdown stuff
+- enable additional extension install directory (#120329)
+ (/usr/lib/browser-extensions/firefox)
+- added patch to make the XUL filechooser optional
+ (MOZ_XUL_PICKER)
+
+-------------------------------------------------------------------
+Wed Dec 14 16:08:12 CET 2005 - stark@suse.de
+
+- fixed patch for parsing -remote parameter
+- removed default-plugin patch (not needed anymore)
+
+-------------------------------------------------------------------
+Fri Dec 9 17:21:29 CET 2005 - stark@suse.de
+
+- fix to ignore X composite extension (#135373)
+- fixed parsing of -remote parameters (#134396)
+- activated locales as released
+
+-------------------------------------------------------------------
+Tue Nov 29 21:33:13 CET 2005 - stark@suse.de
+
+- update to 1.5 (20051128)
+- don't override startup URL when changing Gecko versions (#135314)
+- added patch for GTK2 handling (#134831)
+- readded add-plugins stuff for compatibility
+
+-------------------------------------------------------------------
+Fri Nov 18 07:41:41 CET 2005 - stark@suse.de
+
+- update to 1.5rc3 (20051117)
+
+-------------------------------------------------------------------
+Mon Oct 31 08:58:14 CET 2005 - stark@suse.de
+
+- updated l10n archive (20051030)
+- fixed postinstall script to copy plugin links instead of files
+
+-------------------------------------------------------------------
+Fri Oct 28 06:43:27 CEST 2005 - stark@suse.de
+
+- update to 1.5rc1 (20051027)
+- fixed profile locking on FAT partitions (bmo #313360)
+- introduced an rpath again
+
+-------------------------------------------------------------------
+Wed Oct 19 20:03:48 CEST 2005 - stark@suse.de
+
+- update to snapshot 1.5 (20051019)
+- moved installation to /usr/%{_lib}/firefox
+- added dbus component to be able to get network status from
+ NetworkManager (bmo #312793)
+- remove all update UI for application
+- removed diable-gconf (no registration at build time anymore)
+- removed rebuild-databases.sh (no system registration anymore)
+- open links in new windows (#128087)
+
+-------------------------------------------------------------------
+Thu Oct 6 20:44:53 CEST 2005 - stark@suse.de
+
+- update to Firefox 1.5b2 (20051005)
+- added supported translations
+
+-------------------------------------------------------------------
+Sat Oct 1 15:09:18 CEST 2005 - stark@suse.de
+
+- update to Firefox 1.5b1 (20050930) RPM version 1.4.1
+- removed rebuild-databases.sh calls
+- removed add-plugins.sh calls and corresponding triggers
+- enabled SVG and Canvas support
+- fixed gconf urlhandler registration
+
+-------------------------------------------------------------------
+Tue Sep 20 10:24:16 CEST 2005 - stark@suse.de
+
+- security update to 1.0.7 (#117619)
+ * MFSA 2005-57: IDN heap overrun using soft-hyphens (bmo #307259)
+ (enabled IDN pref again)
+ * MFSA 2005-58:
+ CAN-2005-2701 Heap overrun in XBM image processing
+ CAN-2005-2702 Crash on "zero-width non-joiner" sequence
+ CAN-2005-2703 XMLHttpRequest header spoofing
+ CAN-2005-2704 Object spoofing using XBL <implements>
+ CAN-2005-2705 JavaScript integer overflow
+ CAN-2005-2706 Privilege escalation using about: scheme
+ CAN-2005-2707 Chrome window spoofing
+ Regression fixes
+- register beagle extension if it gets installed (#116787)
+
+-------------------------------------------------------------------
+Tue Sep 13 15:41:37 CEST 2005 - aj@suse.de
+
+- Change SUSE bookmarks.
+
+-------------------------------------------------------------------
+Sun Sep 11 17:05:07 CEST 2005 - stark@suse.de
+
+- disable IDN per default (#116070)
+- unlocalize bookmarks (#114279)
+
+-------------------------------------------------------------------
+Thu Sep 8 08:52:13 CEST 2005 - stark@suse.de
+
+- fixed some filemodes (#114849)
+
+-------------------------------------------------------------------
+Sun Sep 4 00:03:53 CEST 2005 - stark@suse.de
+
+- fixed gconf-backend patch to be able to use
+ system prefs (#114054)
+
+-------------------------------------------------------------------
+Thu Sep 1 13:22:17 CEST 2005 - stark@suse.de
+
+- changed default font to sans-serif (#114464)
+- removed de-de parts of the bookmark-links (#114279)
+
+-------------------------------------------------------------------
+Mon Aug 22 06:10:12 CEST 2005 - stark@suse.de
+
+- install gconf schema for lockdown also on non-NLD
+- added backports (firefox-backports.patch)
+ * gtk_im_context_set_cursor_location() is not used (bmo #281339)
+ * fixed crash in imgCacheValidator::OnStartRequest()
+ (bmo #293307)
+- workaround for linking with pangoxft and pangox
+ (broken by gtk 2.8 update) (#105764)
+- remove extensions on deinstallation
+- include dragonegg (kparts) plugin (#105468)
+
+-------------------------------------------------------------------
+Thu Aug 18 13:08:55 CEST 2005 - stark@suse.de
+
+- fixed regression in profile locking change (bmo #303633)
+- added rtsp handler to global config (#104434)
+- don't blacklist help: protocol (bmo #304833)
+- fixed Gdk-WARNING at startup (gtk.patch)
+- fixed crash with gtk 2.7 (bmo #300226, bnc #104586)
+- fixed installation of the beagle plugin
+- update industrial theme to 1.0.11 (#104564)
+- included lockdownV2 (removed obsolete gconf.diff)
+- linked firefox-bin with rpath to progdir
+
+-------------------------------------------------------------------
+Fri Aug 5 09:51:26 CEST 2005 - stark@suse.de
+
+- fixed profile locking (bmo #151188)
+- install beagle extension globally
+
+-------------------------------------------------------------------
+Fri Jul 29 06:58:24 CEST 2005 - stark@suse.de
+
+- don't require and provide NSS libs (#98002)
+- fixed printing error 'You cannot print while in print preview'
+ (#96991, bmo #302445)
+
+-------------------------------------------------------------------
+Wed Jul 27 09:34:12 CEST 2005 - stark@suse.de
+
+- fixed Firefox on ppc (stack-direction.patch) (#97359)
+- removed open-pref from startscript as it is done
+ automatically now (#73042)
+- updated Novell searchplugins
+
+-------------------------------------------------------------------
+Mon Jul 25 12:32:13 CEST 2005 - stark@suse.de
+
+- GTK filechooser is now modal (#8533)
+- backed out patch to add tooltips to print-preview
+ because it breaks localization
+
+-------------------------------------------------------------------
+Fri Jul 22 10:54:39 CEST 2005 - stark@suse.de
+
+- fixed another problem in printing patch
+
+-------------------------------------------------------------------
+Tue Jul 19 10:44:59 CEST 2005 - stark@suse.de
+
+- fixed error in ft-xft-ps2.patch
+- disabled stripping in spec instead of patch
+- added NSPR to PreReq
+
+-------------------------------------------------------------------
+Mon Jul 18 08:43:24 CEST 2005 - stark@suse.de
+
+- fixed some more regressions with final 1.0.6
+- fixed width calculation in Postscript module (bmo #290292)
+- fixed plugin event starvation (bnc #94749, #94751, bmo #301161)
+
+-------------------------------------------------------------------
+Fri Jul 15 11:24:47 CEST 2005 - stark@suse.de
+
+- searchplugins can now be installed per profile (#8176)
+
+-------------------------------------------------------------------
+Fri Jul 15 06:54:02 CEST 2005 - stark@suse.de
+
+- update to 1.0.6 which restores API compatibility
+
+-------------------------------------------------------------------
+Tue Jul 12 06:20:37 CEST 2005 - stark@suse.de
+
+- update to 1.0.5 final (#88509)
+- don't strip explicitely
+- don't ship beagle.xpi
+
+-------------------------------------------------------------------
+Wed Jul 6 14:13:09 CEST 2005 - stark@suse.de
+
+- update to 1.0.5-pre (20050705)
+- use RPM_OPT_FLAGS for NSS component
+- fixed implicit declarations and uninitialized used variables
+- added patch for bmo #87969
+
+-------------------------------------------------------------------
+Tue Jul 5 10:17:16 CEST 2005 - stark@suse.de
+
+- fixed regression from security update (#95069, bmo #298478)
+
+-------------------------------------------------------------------
+Mon Jun 27 21:46:58 CEST 2005 - stark@suse.de
+
+- don't use system-prefs by default on NLD
+- removed basic lockdown stuff for SUSE Linux
+ (it's not needed and caused problems: bnc #75418)
+- fixed NLD lockdown patch (bnc #75418)
+- don't write prefs back to gconf for now
+
+-------------------------------------------------------------------
+Wed Jun 22 07:32:42 CEST 2005 - stark@suse.de
+
+- new NLD lockdown patch which is syncing user prefs to gconf
+- update to 1.0.5pre security-release
+
+-------------------------------------------------------------------
+Thu Jun 9 06:56:02 CEST 2005 - stark@suse.de
+
+- new revision of NLD lockdown patch
+- fixed remote usage behaviour in start script (bnc #41903)
+- got more bugfixes from the branch
+
+-------------------------------------------------------------------
+Thu Jun 2 10:31:48 CEST 2005 - stark@suse.de
+
+- fixed neededforbuild
+
+-------------------------------------------------------------------
+Wed Jun 1 20:15:25 CEST 2005 - stark@suse.de
+
+- fixed IDN for 64bit platforms (bmo #236425, bnc #46268)
+
+-------------------------------------------------------------------
+Fri May 20 15:12:06 CEST 2005 - stark@suse.de
+
+- fixed keybinding for KP separator (bnc #84147)
+- pulled security related patch from upstream branch
+- update plastikfox theme to version 1.6
+
+-------------------------------------------------------------------
+Thu May 12 06:16:25 CEST 2005 - stark@suse.de
+
+- update to final 1.0.4 release
+
+-------------------------------------------------------------------
+Tue May 10 06:38:05 CEST 2005 - stark@suse.de
+
+- update to 1.0.4 security release
+- removed s390(x) patches (upstream)
+- made two more files %verify (81692)
+- updated NLD lockdown patch (81304)
+
+-------------------------------------------------------------------
+Thu Apr 28 09:45:53 CEST 2005 - stark@suse.de
+
+- use static NSPR libs from new location
+
+-------------------------------------------------------------------
+Sat Apr 23 15:56:08 CEST 2005 - stark@suse.de
+
+- activate usage of system NSPR for distributions after 9.3
+- add patch to be able to use systen NSPR at all
+
+-------------------------------------------------------------------
+Fri Apr 22 02:06:06 CEST 2005 - ro@suse.de
+
+- use mozilla-gcc4.patch
+
+-------------------------------------------------------------------
+Thu Apr 21 12:51:19 CEST 2005 - stark@suse.de
+
+- don't execute gconf magic within build environment
+
+-------------------------------------------------------------------
+Sat Apr 16 13:05:37 CEST 2005 - stark@suse.de
+
+- update to final 1.0.3 release
+
+-------------------------------------------------------------------
+Fri Apr 15 00:10:54 CEST 2005 - ro@suse.de
+
+- fix problem in postinstall script
+
+-------------------------------------------------------------------
+Wed Apr 14 09:20:02 CEST 2005 - stark@suse.de
+
+- included fixed lockdown patch for NLD
+- linked proxies within Firefox with gnome settings (NLD)
+- added gconfd restart procedure to install script
+ (only needed if gconf changes are done) (#76852)
+
+-------------------------------------------------------------------
+Sat Apr 2 21:03:11 CEST 2005 - stark@suse.de
+
+- update to security pre-release 1.0.3 (#75692)
+ * Manual plug-in install, javascript vulnerability (bmo #288556)
+ * Access memory vulnerability (bmo #288688)
+
+-------------------------------------------------------------------
+Fri Apr 1 11:32:44 CEST 2005 - stark@suse.de
+
+- added advanced lockdown features for ZLM integration (NLD-only)
+
+-------------------------------------------------------------------
+Tue Mar 22 12:33:15 CET 2005 - stark@suse.de
+
+- update to final 1.0.2
+- use new theme handling on NLD
+- added default-plugin-less-annoying from mozilla
+- use GTK2 for Flash
+- use system NSPR on SUSE releases after 9.3
+- made startscript PIS aware
+- set g-application-name correctly (bmo #281979)
+- added man-page
+- use GTK system colors
+- modify useragent string and add vendor id
+- activate smooth-scrolling by default (#74310)
+
+-------------------------------------------------------------------
+Tue Mar 22 08:59:06 CET 2005 - stark@suse.de
+
+- don't register beagle automatically (#74062)
+- added default bookmarks for SUSE LINUX
+
+-------------------------------------------------------------------
+Mon Mar 21 18:20:39 CET 2005 - max@suse.de
+
+- Fixed a typo in the shell code that handles inclusion of the
+ Acrobat Reader plugin (#70861).
+
+-------------------------------------------------------------------
+Thu Mar 17 21:01:11 CET 2005 - stark@suse.de
+
+- updates from upcoming 1.0.2
+- added again logic to use Adobe Reader 7 (#70861)
+- fixed crash in ICO decoding (#67142, bmo #245631)
+- preinstall beagle extension (#72920)
+- bugfixes in trigger scripts
+- fixed industrial theming for Gnome (#72918)
+
+-------------------------------------------------------------------
+Sat Mar 12 12:42:16 CET 2005 - stark@suse.de
+
+- fixed more security related bugs
+ (bmo #284551, #284627, #285595)
+
+-------------------------------------------------------------------
+Wed Mar 9 21:42:05 CET 2005 - stark@suse.de
+
+- update also GNOME desktop file (#71810)
+- added firefox-gnome.png to filelist
+- use correct Firefox icon
+
+-------------------------------------------------------------------
+Mon Mar 7 20:47:00 CET 2005 - stark@suse.de
+
+- disable inclusion of acrobat plugin again (#70861)
+- don't use gconfd in registration phase (#66381)
+
+-------------------------------------------------------------------
+Mon Mar 7 16:13:29 CET 2005 - adrian@suse.de
+
+- use standard icon again for the default desktop file and
+ add a Gnome-only desktop file for the Gnome icon
+- add plastikfox chrome theme to fix button order within KDE
+- add patch for automatic theme selection for KDE and Gnome
+- do register extensions in rebuild-databases.sh instead of %install,
+ to fix needed timestamps
+
+-------------------------------------------------------------------
+Fri Mar 4 07:54:47 CET 2005 - stark@suse.de
+
+- extend add-plugins to recognize Java 1.5 (#66909)
+- changed comment in desktop-file (#66867)
+
+-------------------------------------------------------------------
+Tue Feb 22 09:33:44 CET 2005 - stark@suse.de
+
+- make --display parameter working in all cases (bnc #66043)
+- revised postscript patch
+- final 1.0.1 codebase
+
+-------------------------------------------------------------------
+Mon Feb 21 13:09:30 CET 2005 - stark@suse.de
+
+- added patch to create Postscript level 2 (instead of 3)
+ (special thanks to Jungshik Shin)
+- disabled freetype explicitly to be able to use the above patch
+ (freetype wasn't used anymore since some time anyway)
+
+-------------------------------------------------------------------
+Fri Feb 18 09:10:10 CET 2005 - stark@suse.de
+
+- got more patches from branch to get another IDN fix and to
+ fix bug #51019
+- enabled IDN again
+
+-------------------------------------------------------------------
+Wed Feb 16 09:20:39 CET 2005 - stark@suse.de
+
+- bumped version number to 1.0.1
+
+-------------------------------------------------------------------
+Tue Feb 15 10:26:04 CET 2005 - stark@suse.de
+
+- got updates from 1.0.1 branch
+
+-------------------------------------------------------------------
+Thu Feb 10 06:57:33 CET 2005 - stark@suse.de
+
+- additional fireflashing fix (#50635, bmo #280664)
+- some more security related fixes
+ (bmo #268483, #273498, #277322)
+- fire up GTK2 filepicker if GNOME is running
+
+-------------------------------------------------------------------
+Tue Feb 8 07:51:13 CET 2005 - stark@suse.de
+
+- some prefs are ignored (bmo #261934)
+- disabled default IDN (#50566)
+- fixed some more bugzilla.mozilla.org bugs:
+ #276482, #280056, #280603
+
+-------------------------------------------------------------------
+Sun Feb 6 13:10:12 CET 2005 - stark@suse.de
+
+- use same desktop categories for Professional and NLD
+- added some lockdown stuff for printing and page saving
+ (bmo #280488)
+
+-------------------------------------------------------------------
+Wed Feb 2 13:58:53 CET 2005 - stark@suse.de
+
+- modified gconf.diff to honor ignore_hosts (bmo #280742)
+- added a JS crasher fix (bmo #268535)
+- added more fixes (bmo #255441, #273024, #275405, #275634)
+
+-------------------------------------------------------------------
+Fri Jan 28 12:39:37 CET 2005 - stark@suse.de
+
+- added gplflash inclusion
+- improved JRE inclusion
+- reactivated usage of Acrobat Reader plugin
+ (ready for acroread 7)
+
+-------------------------------------------------------------------
+Sat Jan 22 13:16:47 CET 2005 - stark@suse.de
+
+- added some backported bugfixes
+
+-------------------------------------------------------------------
+Sat Dec 18 10:30:11 CET 2004 - stark@suse.de
+
+- updated industrial theme to 1.0.9
+- use slightly changed icon for menu-entry (bnc #275)
+- use original desktop file for NLD again
+
+-------------------------------------------------------------------
+Thu Dec 16 19:37:48 CET 2004 - stark@suse.de
+
+- newer patch for GNOME associations (bnc #362)
+- fix overwriting of files with GTK picker (Ximian #65068)
+- readded the industrial default theme patch for NLD
+
+-------------------------------------------------------------------
+Wed Dec 15 11:50:56 CET 2004 - stark@suse.de
+
+- activate GTK filepicker for NLD again
+- fix for GNOME helper applications with parameters
+- make GNOME associations the default on NLD
+
+-------------------------------------------------------------------
+Sat Dec 4 16:11:01 CET 2004 - stark@suse.de
+
+- fixed build on s390/s390x
+- added patch to be able to install-global without running X
+ (bmo #265859)
+
+-------------------------------------------------------------------
+Thu Nov 18 21:48:05 CET 2004 - stark@suse.de
+
+- update industrial theme to 1.0.8 (still not activated)
+- added patch to make home-directory the default download dir
+ (on NLD is still used Desktop)
+
+-------------------------------------------------------------------
+Thu Nov 11 09:01:58 CET 2004 - stark@suse.de
+
+- made initial window height smaller again
+
+-------------------------------------------------------------------
+Tue Nov 9 09:09:06 CET 2004 - stark@suse.de
+
+- update to final 1.0 release (20041109)
+
+-------------------------------------------------------------------
+Thu Nov 4 08:22:36 CET 2004 - stark@suse.de
+
+- update to 1.0rc2
+
+-------------------------------------------------------------------
+Sat Oct 30 21:27:29 CEST 2004 - stark@suse.de
+
+- added missing s390(x) patch
+
+-------------------------------------------------------------------
+Wed Oct 27 07:26:25 CEST 2004 - stark@suse.de
+
+- update to 1.0rc1 codebase
+- printing via XFT/fontconfig
+- freetype changes to avoid API conflicts with newer freetype2
+- fixed build for s390/s390x
+- removed AMD64 patch (included upstream)
+- added translations sub-package
+- removed "Show folder" patch for NLD (resolved upstream)
+- don't use gnome-filepicker patch for NLD for now
+- removed hppa buildfix (included upstream)
+- removed untitled.patch (bmo #24068) resolved by (bmo #262478)
+- use make -C browser/installer now to prepare installation
+- don't check for default browser at startup (#47587)
+- updated industrial.jar (0.99.13) (disabled)
+
+-------------------------------------------------------------------
+Fri Oct 15 13:51:54 CEST 2004 - stark@suse.de
+
+- inherit locale from system
+- fixed chrome registration
+
+-------------------------------------------------------------------
+Wed Oct 6 23:11:01 CEST 2004 - joeshaw@suse.de
+
+ - disable gconf settings as default (Ximian #67718)
+
+-------------------------------------------------------------------
+Wed Oct 6 07:04:05 CEST 2004 - stark@suse.de
+
+- fixed inclusion of RealPlayer plugin again
+
+-------------------------------------------------------------------
+Tue Oct 5 10:09:04 CEST 2004 - stark@suse.de
+
+- small important fix in firefox-download.patch (Ximian #65472)
+
+-------------------------------------------------------------------
+Sun Oct 3 00:02:09 CEST 2004 - stark@suse.de
+
+- added security-fix from 0.10.1 (mozilla.org #259708) (#46687)
+
+-------------------------------------------------------------------
+Fri Oct 1 12:49:38 CEST 2004 - stark@suse.de
+
+- final fix for downloading to Desktop folder (Ximian #65756)
+- remove Postscript from printer names (Ximian #65560)
+
+-------------------------------------------------------------------
+Thu Sep 30 16:14:10 CEST 2004 - shprasad@suse.de
+
+- Modified the MozillaFirefox.desktop file.
+ Changed the name 'Firefox' to 'Firefox Web Browser'.
+ Also changed it for all languages.
+
+-------------------------------------------------------------------
+Wed Sep 29 15:54:46 CEST 2004 - stark@suse.de
+
+- fix inclusion of RealPlayer plugin (Ximian #65711)
+
+-------------------------------------------------------------------
+Mon Sep 27 17:51:24 CEST 2004 - joeshaw@suse.de
+
+- Update the industrial default patch, for some reason it didn't
+ take before.
+
+-------------------------------------------------------------------
+Fri Sep 24 07:34:48 CEST 2004 - stark@suse.de
+
+- fix for Ximian #65176 (mozilla.org #240068)
+- revised patch for update function (Ximian #65615)
+
+-------------------------------------------------------------------
+Thu Sep 23 20:21:39 CEST 2004 - joeshaw@suse.de
+
+- Uncomment the patch which tells the UI that industrial is the
+ default.
+
+-------------------------------------------------------------------
+Thu Sep 23 12:38:06 CEST 2004 - stark@suse.de
+
+- open Nautilus on NLD for 'Show folder' in download settings
+ (Ximian #65472) by sragavan@novell.com
+- save to Desktop folder if selected (Ximian #65756)
+ by sragavan@novell.com
+
+-------------------------------------------------------------------
+Wed Sep 22 10:23:01 CEST 2004 - stark@suse.de
+
+- synced NLD package with 9.2 version
+- GTK2 filepicker does now ask for confirmation when overwriting
+ files (Ximian #65068) by sagarwala@novell.com
+- no direct update function (Ximian #65615) by rganesan@novell.com
+- throbber linked to Novell (Ximian #66283) by rganesan@novell.com
+- make industrial the default theme for NLD
+ (Ximian #65542) by joeshaw@suse.de
+
+-------------------------------------------------------------------
+Mon Sep 20 22:00:55 CEST 2004 - joeshaw@suse.de
+
+- Add default bookmarks. Ximian #65546.
+- Add the industrial theme, but it's not the default yet.
+- Remove acroread from add-plugins because it's badly behaved.
+ Ximian #65499.
+
+-------------------------------------------------------------------
+Mon Sep 20 17:57:38 CEST 2004 - federico@ximian.com
+
+- Added MozillaFirefox-toplevel-window-height.diff for
+ http://bugzilla.ximian.com/show_bug.cgi?id=65543
+
+-------------------------------------------------------------------
+Sun Sep 19 15:42:30 CEST 2004 - stark@suse.de
+
+- use GNOME system prefs only for NLD by default
+ (fixes bug #45575)
+
+-------------------------------------------------------------------
+Fri Sep 17 08:59:32 CEST 2004 - stark@suse.de
+
+- joeshaw@suse.de: Update GConf patch so that proxy settings work
+ correctly (Ximian #64461)
+- don't search Java on every path (Ximian #65383)
+- added some missing fixes for official release
+- added new java package name for triggers (#45257)
+
+-------------------------------------------------------------------
+Sat Sep 11 13:25:41 CEST 2004 - stark@suse.de
+
+- update to official 1.0PR (0.10)
+- adopted gnome-filepicker patch
+- removed obsolete CUPS hack from start-script
+ (Ximian #65635, #65560)
+
+-------------------------------------------------------------------
+Thu Sep 9 21:35:42 CEST 2004 - stark@suse.de
+
+- fixed endianess on AMD64 in JS component (#34743)
+
+-------------------------------------------------------------------
+Mon Sep 6 17:33:07 CEST 2004 - stark@suse.de
+
+- fixed filelist
+
+-------------------------------------------------------------------
+Mon Sep 6 13:48:03 CEST 2004 - stark@suse.de
+
+- update to 1.0PR (aka 0.10)
+
+-------------------------------------------------------------------
+Fri Sep 3 21:35:47 CEST 2004 - stark@suse.de
+
+- added ppc64 patch
+
+-------------------------------------------------------------------
+Thu Sep 2 03:08:59 CEST 2004 - dave@suse.de
+
+- Fixed up the .desktop installation on nld
+
+-------------------------------------------------------------------
+Wed Sep 1 15:05:48 CEST 2004 - shprasad@suse.de
+
+- Doesn't ask to set Firefox as default web-browser.
+
+-------------------------------------------------------------------
+Tue Aug 31 14:01:18 CEST 2004 - stark@suse.de
+
+- next new version for filepicker stuff
+- deactivated native filepicker for NLD
+- update to snapshot (20040831)
+
+-------------------------------------------------------------------
+Tue Aug 24 17:35:52 CEST 2004 - stark@suse.de
+
+- new version of gnome-filepicker patch
+- added patch for config
+
+-------------------------------------------------------------------
+Fri Aug 20 17:12:48 CEST 2004 - stark@suse.de
+
+- update to snapshot (20040820)
+
+-------------------------------------------------------------------
+Thu Aug 19 08:46:42 CEST 2004 - stark@suse.de
+
+- added workaround for mozilla bug #246313
+ (Firefox does not start: getting "cannot open display" error)
+
+-------------------------------------------------------------------
+Wed Aug 18 15:07:22 CEST 2004 - stark@suse.de
+
+- added some patches from Ximian
+ - use GNOME filepicker
+ - use more gconf settings
+ - set startup homepage to Novell
+
+-------------------------------------------------------------------
+Tue Aug 17 13:12:35 CEST 2004 - stark@suse.de
+
+- update to pre-1.0.0 (20040817)
+
+-------------------------------------------------------------------
+Thu Aug 5 06:27:41 CEST 2004 - stark@suse.de
+
+- security update to 0.9.3
+ (including #43312 and others)
+- handle RealPlayer 9 plugin
+
+-------------------------------------------------------------------
+Mon Aug 2 15:11:51 CEST 2004 - ro@suse.de
+
+- recode desktop file to utf-8
+
+-------------------------------------------------------------------
+Wed Jul 28 08:46:31 CEST 2004 - stark@suse.de
+
+- added fix against certificate spoofing (#43312)
+
+-------------------------------------------------------------------
+Fri Jul 23 06:31:41 CEST 2004 - stark@suse.de
+
+- update to 0.9.2
+- added workaround for extension registry
+- removed old (incompatible) mozex extension
+
+-------------------------------------------------------------------
+Tue Jun 29 06:27:59 CEST 2004 - stark@suse.de
+
+- update to 0.9.1
+- added hint to run as root first
+
+-------------------------------------------------------------------
+Tue Jun 15 12:42:28 CEST 2004 - stark@suse.de
+
+- update to 0.9
+- added patch for newer freetype
+
+-------------------------------------------------------------------
+Fri Apr 2 10:31:45 CEST 2004 - stark@suse.de
+
+- removing relocation of TEMP directory (#34391)
+
+-------------------------------------------------------------------
+Mon Mar 29 11:43:51 CEST 2004 - stark@suse.de
+
+- update to 0.8.0+ (20040503)
+- removed firefox logos and activate official branding for
+ milestone builds
+- changed profile-dir to .firefox
+- added some needed files
+- enabled gnomevfs extension
+
+-------------------------------------------------------------------
+Fri Mar 26 18:09:34 CET 2004 - uli@suse.de
+
+- fixed hang during build on s390* (bug #35440)
+
+-------------------------------------------------------------------
+Wed Mar 3 06:52:00 CET 2004 - stark@suse.de
+
+- removed unused patches for GTK2 build
+- more fixes for (#35179)
+
+-------------------------------------------------------------------
+Mon Mar 1 07:32:52 CET 2004 - stark@suse.de
+
+- improved start-script to interact with thunderbird (#35179)
+
+-------------------------------------------------------------------
+Thu Feb 26 06:57:05 CET 2004 - stark@suse.de
+
+- use official releasedate
+- added official (trademarked) artwork
+- added firefox icon to /usr/share/pixmaps
+- cleaned up spec-file (there will be no GTK1 version)
+
+-------------------------------------------------------------------
+Tue Feb 24 16:43:17 CET 2004 - stark@suse.de
+
+- fixed optimization for non-x86 archs
+
+-------------------------------------------------------------------
+Tue Feb 24 07:43:35 CET 2004 - stark@suse.de
+
+- adopted file-list and build options to original distribution
+- added prdtoa fix (#32963)
+- added hook for static firefox build to rebuild-databases.sh
+- added compiler flags for security/ (nss-opt.patch)
+- included mozex (mozex.mozdev.org)
+- added -Os as optimization flag
+
+-------------------------------------------------------------------
+Mon Feb 9 21:59:37 CET 2004 - stark@suse.de
+
+- renamed to MozillaFirefox
+- update to final version 0.8
+
+-------------------------------------------------------------------
+Fri Feb 6 08:39:15 CET 2004 - stark@suse.de
+
+- update to Firebird 0.8 (20040205)
+- added mips build fix
+- set PS printer list in MozillaFirebird.sh
+- use lib64 again for biarch platforms
+
+-------------------------------------------------------------------
+Sat Jan 10 10:33:54 CET 2004 - adrian@suse.de
+
+- build as user
+
+-------------------------------------------------------------------
+Fri Aug 22 11:32:07 CEST 2003 - stark@suse.de
+
+- upstream sync for 0.6.1post
+
+-------------------------------------------------------------------
+Sun Aug 10 22:01:12 CEST 2003 - stark@suse.de
+
+- removed dmoz from searchplugins-filelist
+
+-------------------------------------------------------------------
+Fri Aug 8 10:30:50 CEST 2003 - stark@suse.de
+
+- update to 0.6.1post (TRUNK)
+- use -fno-strict-aliasing
+
+-------------------------------------------------------------------
+Thu Jul 31 11:25:39 CEST 2003 - stark@suse.de
+
+- update to 0.6.1 (MOZILLA_1_4_BRANCH)
+- synchronized with mozilla-source
+- created file-list
+
+-------------------------------------------------------------------
+Thu Jul 10 09:45:49 CEST 2003 - stark@suse.de
+
+- update to snapshot 20030709
+- fixed generation of symlink MozillaFirebird-xremote-client
+
+-------------------------------------------------------------------
+Fri Jun 20 06:53:08 CEST 2003 - stark@suse.de
+
+- update to snapshot 20030622 (0.7pre)
+
+-------------------------------------------------------------------
+Mon May 19 08:54:46 CEST 2003 - stark@suse.de
+
+- update to snapshot 20030518 (0.6)
+
+-------------------------------------------------------------------
+Sun May 7 10:11:16 CEST 2003 - stark@suse.de
+
+- update to snapshot 20030507
+
+-------------------------------------------------------------------
+Wed Apr 30 13:26:43 CEST 2003 - stark@suse.de
+
+- initial SuSE package
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/MozillaFirefox/MozillaFirefox.spec Fri Oct 01 12:00:20 2021 +0200
@@ -0,0 +1,808 @@
+#
+# spec file
+#
+# Copyright (c) 2021 SUSE LLC
+# 2006-2021 Wolfgang Rosenauer <wr@rosenauer.org>
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+%define _dwz_low_mem_die_limit 40000000
+%define _dwz_max_die_limit 200000000
+
+# changed with every update
+# orig_version vs. mainver: To have beta-builds
+# FF70beta3 would be released as FF69.99
+# orig_version would be the upstream tar ball
+# orig_version 70.0
+# orig_suffix b3
+# major 69
+# mainver %major.99
+%define major 92
+%define mainver %major.0.1
+%define orig_version 92.0.1
+%define orig_suffix %{nil}
+%define update_channel release
+%define branding 1
+%define devpkg 1
+
+# PGO builds do not work in TW currently (bmo#1680306)
+%define do_profiling 0
+
+# upstream default is clang (to use gcc for large parts set to 0)
+%define clang_build 0
+
+# PIE, full relro
+%define build_hardened 1
+
+%bcond_with only_print_mozconfig
+
+# define if ccache should be used or not
+%define useccache 1
+
+# SLE-12 doesn't have this macro
+%{!?_rpmmacrodir: %global _rpmmacrodir %{_rpmconfigdir}/macros.d}
+
+# Firefox only supports i686
+%ifarch %ix86
+ExclusiveArch: i586 i686
+BuildArch: i686
+%{expand:%%global optflags %(echo "%optflags"|sed -e s/i586/i686/) -march=i686 -mtune=generic}
+%endif
+
+# general build definitions
+%define progname firefox
+%define appname Firefox
+%define pkgname MozillaFirefox
+%define srcname firefox
+%define progdir %{_prefix}/%_lib/%{progname}
+%define gnome_dir %{_prefix}
+%define desktop_file_name %{progname}
+%define firefox_appid \{ec8030f7-c20a-464f-9b0e-13a3a9e97384\}
+%define __provides_exclude ^lib.*\\.so.*$
+%define __requires_exclude ^(libmoz.*|liblgpllibs.*|libxul.*)$
+%define localize 1
+%ifarch %ix86 x86_64
+%define crashreporter 1
+%else
+%define crashreporter 0
+%endif
+%define with_pipewire0_3 1
+%define wayland_supported 1
+%if 0%{?sle_version} > 0 && 0%{?sle_version} < 150200
+# pipewire is too old on Leap <=15.1
+%define with_pipewire0_3 0
+# Wayland is too old on Leap <=15.1 as well
+%define wayland_supported 0
+%endif
+
+Name: %{pkgname}
+BuildRequires: Mesa-devel
+BuildRequires: alsa-devel
+BuildRequires: autoconf213
+BuildRequires: dbus-1-glib-devel
+BuildRequires: dejavu-fonts
+BuildRequires: fdupes
+BuildRequires: memory-constraints
+%if 0%{?suse_version} <= 1320
+BuildRequires: gcc9-c++
+%else
+BuildRequires: gcc-c++
+%endif
+%if 0%{?suse_version} < 1550 && 0%{?sle_version} < 150300
+BuildRequires: cargo >= 1.51
+BuildRequires: rust >= 1.51
+%else
+# Newer sle/leap/tw use parallel versioned rust releases which have
+# a different method for provides that we can use to request a
+# specific version
+BuildRequires: rust+cargo >= 1.51
+%endif
+%if 0%{useccache} != 0
+BuildRequires: ccache
+%endif
+BuildRequires: libXcomposite-devel
+BuildRequires: libcurl-devel
+BuildRequires: libidl-devel
+BuildRequires: libiw-devel
+BuildRequires: libproxy-devel
+BuildRequires: makeinfo
+BuildRequires: mozilla-nspr-devel >= 4.32
+BuildRequires: mozilla-nss-devel >= 3.69.1
+BuildRequires: nasm >= 2.14
+BuildRequires: nodejs >= 10.22.1
+%if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000
+BuildRequires: python-libxml2
+BuildRequires: python36
+%else
+BuildRequires: python3 >= 3.5
+BuildRequires: python3-devel
+%endif
+BuildRequires: rust-cbindgen >= 0.19.0
+BuildRequires: unzip
+BuildRequires: update-desktop-files
+BuildRequires: xorg-x11-libXt-devel
+%if 0%{?do_profiling}
+BuildRequires: xvfb-run
+%endif
+BuildRequires: yasm
+BuildRequires: zip
+%if 0%{?suse_version} < 1550
+BuildRequires: pkgconfig(gconf-2.0) >= 1.2.1
+%endif
+%if (0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000)
+BuildRequires: clang6-devel
+%else
+BuildRequires: clang-devel >= 5
+%endif
+BuildRequires: pkgconfig(gdk-x11-2.0)
+BuildRequires: pkgconfig(glib-2.0) >= 2.22
+BuildRequires: pkgconfig(gobject-2.0)
+BuildRequires: pkgconfig(gtk+-3.0) >= 3.14.0
+BuildRequires: pkgconfig(gtk+-unix-print-3.0)
+BuildRequires: pkgconfig(libffi)
+BuildRequires: pkgconfig(libpulse)
+%if %{with_pipewire0_3}
+BuildRequires: pkgconfig(libpipewire-0.3)
+%endif
+# libavcodec is required for H.264 support but the
+# openSUSE version is currently not able to play H.264
+# therefore the Packman version is required
+# minimum version of libavcodec is 53
+Recommends: libavcodec-full >= 0.10.16
+Version: %{mainver}
+Release: 0
+%if "%{name}" == "MozillaFirefox"
+Provides: firefox = %{mainver}
+Provides: firefox = %{version}-%{release}
+%endif
+Provides: web_browser
+Provides: appdata()
+Provides: appdata(firefox.appdata.xml)
+# this is needed to match this package with the kde4 helper package without the main package
+# having a hard requirement on the kde4 package
+%define kde_helper_version 6
+Provides: mozilla-kde4-version = %{kde_helper_version}
+Summary: Mozilla %{appname} Web Browser
+License: MPL-2.0
+Group: Productivity/Networking/Web/Browsers
+URL: http://www.mozilla.org/
+%if !%{with only_print_mozconfig}
+Source: http://ftp.mozilla.org/pub/%{srcname}/releases/%{version}%{orig_suffix}/source/%{srcname}-%{orig_version}%{orig_suffix}.source.tar.xz
+Source1: MozillaFirefox.desktop
+Source2: MozillaFirefox-rpmlintrc
+Source3: mozilla.sh.in
+Source4: tar_stamps
+Source7: l10n-%{orig_version}%{orig_suffix}.tar.xz
+Source8: firefox-mimeinfo.xml
+Source9: firefox.js
+Source11: firefox.1
+Source12: mozilla-get-app-id
+Source13: spellcheck.js
+Source14: https://github.com/openSUSE/firefox-scripts/raw/4503820/create-tar.sh
+Source15: firefox-appdata.xml
+Source16: %{name}.changes
+Source17: firefox-search-provider.ini
+# Set up API keys, see http://www.chromium.org/developers/how-tos/api-keys
+# Note: these are for the openSUSE Firefox builds ONLY. For your own distribution,
+# please get your own set of keys.
+Source18: mozilla-api-key
+Source19: google-api-key
+Source20: https://ftp.mozilla.org/pub/%{srcname}/releases/%{version}%{orig_suffix}/source/%{srcname}-%{orig_version}%{orig_suffix}.source.tar.xz.asc
+Source21: https://ftp.mozilla.org/pub/%{srcname}/releases/%{version}%{orig_suffix}/KEY#/mozilla.keyring
+# Gecko/Toolkit
+Patch1: mozilla-nongnome-proxies.patch
+Patch2: mozilla-kde.patch
+Patch3: mozilla-ntlm-full-path.patch
+Patch4: mozilla-aarch64-startup-crash.patch
+Patch6: mozilla-sandbox-fips.patch
+Patch7: mozilla-fix-aarch64-libopus.patch
+Patch9: mozilla-s390-context.patch
+Patch10: mozilla-pgo.patch
+Patch11: mozilla-reduce-rust-debuginfo.patch
+Patch13: mozilla-bmo1005535.patch
+Patch14: mozilla-bmo1568145.patch
+Patch15: mozilla-bmo1504834-part1.patch
+Patch16: mozilla-bmo1504834-part2.patch
+Patch17: mozilla-bmo1504834-part3.patch
+Patch19: mozilla-bmo1512162.patch
+Patch20: mozilla-fix-top-level-asm.patch
+Patch21: mozilla-bmo1504834-part4.patch
+Patch22: mozilla-bmo849632.patch
+Patch24: mozilla-bmo1602730.patch
+Patch25: mozilla-bmo998749.patch
+Patch26: mozilla-bmo1626236.patch
+Patch27: mozilla-s390x-skia-gradient.patch
+Patch28: mozilla-libavcodec58_91.patch
+Patch29: mozilla-bmo1708709.patch
+Patch30: mozilla-silence-no-return-type.patch
+Patch31: mozilla-bmo1725828.patch
+# Firefox/browser
+Patch101: firefox-kde.patch
+Patch102: firefox-branded-icons.patch
+%endif
+BuildRoot: %{_tmppath}/%{name}-%{version}-build
+Requires(post): coreutils shared-mime-info desktop-file-utils
+Requires(postun):shared-mime-info desktop-file-utils
+Requires: %{name}-branding >= 68
+%requires_ge mozilla-nspr
+%requires_ge mozilla-nss
+%requires_ge libfreetype6
+Recommends: libcanberra0
+Recommends: libpulse0
+# addon leads to startup crash (bnc#908892)
+Obsoletes: tracker-miner-firefox < 0.15
+%if 0%{?devpkg} == 0
+Obsoletes: %{name}-devel < %{version}
+%endif
+# libproxy's mozjs pacrunner crashes FF (bnc#759123)
+%if 0%{?suse_version} < 1220
+Obsoletes: libproxy1-pacrunner-mozjs <= 0.4.7
+%endif
+ExcludeArch: armv6l armv6hl
+
+%description
+Mozilla Firefox is a standalone web browser, designed for standards
+compliance and performance. Its functionality can be enhanced via a
+plethora of extensions.
+
+%if 0%{?devpkg}
+%package devel
+Summary: Devel package for %{appname}
+Group: Development/Tools/Other
+Provides: firefox-devel = %{version}-%{release}
+Requires: %{name} = %{version}
+Requires: perl(Archive::Zip)
+Requires: perl(XML::Simple)
+
+%description devel
+Development files for %{appname} to make packaging of addons easier.
+%endif
+
+%if %localize
+%package translations-common
+Summary: Common translations for %{appname}
+Group: System/Localization
+Provides: locale(%{name}:ar;ca;cs;da;de;el;en_GB;es_AR;es_CL;es_ES;fi;fr;hu;it;ja;ko;nb_NO;nl;pl;pt_BR;pt_PT;ru;sv_SE;zh_CN;zh_TW)
+# This is there for updates from Firefox before the translations-package was split up into 2 packages
+Provides: %{name}-translations
+Requires: %{name} = %{version}
+Obsoletes: %{name}-translations < %{version}-%{release}
+
+%description translations-common
+This package contains several common languages for the user interface
+of %{appname}.
+
+%package translations-other
+Summary: Extra translations for %{appname}
+Group: System/Localization
+Provides: locale(%{name}:ach;af;an;ast;az;be;bg;bn;br;bs;cak;cy;dsb;en_CA;eo;es_MX;et;eu;fa;ff;fy_NL;ga_IE;gd;gl;gn;gu_IN;he;hi_IN;hr;hsb;hy_AM;ia;id;is;ka;kab;kk;km;kn;lij;lt;lv;mk;mr;ms;my;ne_NP;nn_NO;oc;pa_IN;rm;ro;si;sk;sl;son;sq;sr;ta;te;th;tr;uk;ur;uz;vi;xh)
+Requires: %{name} = %{version}
+Obsoletes: %{name}-translations < %{version}-%{release}
+
+%description translations-other
+This package contains rarely used languages for the user interface
+of %{appname}.
+%endif
+
+%package branding-upstream
+Summary: Upstream branding for %{appname}
+Group: Productivity/Networking/Web/Browsers
+Provides: %{name}-branding = %{version}
+Conflicts: otherproviders(%{name}-branding)
+Supplements: packageand(%{name}:branding-upstream)
+#BRAND: Provide three files -
+#BRAND: /usr/lib/firefox/browserconfig.properties that contains the
+#BRAND: default homepage and some other default configuration options
+#BRAND: /usr/lib/firefox/defaults/profile/bookmarks.html that contains
+#BRAND: the list of default bookmarks
+#BRAND: It's also possible to create a file
+#BRAND: /usr/lib/firefox/defaults/preferences/firefox-$vendor.js to set
+#BRAND: custom preference overrides.
+#BRAND: It's also possible to drop files in /usr/lib/firefox/distribution/searchplugins/common/
+
+%description branding-upstream
+This package provides upstream look and feel for %{appname}.
+
+%if !%{with only_print_mozconfig}
+%prep
+%if %localize
+
+# If generated incorrectly, the tarball will be ~270B in
+# size, so 1MB seems like good enough limit to check.
+MINSIZE=1048576
+if (( $(stat -Lc%s "%{SOURCE7}") < MINSIZE)); then
+ echo "Translations tarball %{SOURCE7} not generated properly."
+ exit 1
+fi
+
+%setup -q -n %{srcname}-%{orig_version} -b 7
+%else
+%setup -q -n %{srcname}-%{orig_version}
+%endif
+cd $RPM_BUILD_DIR/%{srcname}-%{orig_version}
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch6 -p1
+%patch7 -p1
+%patch9 -p1
+%patch10 -p1
+%patch11 -p1
+%patch13 -p1
+%patch14 -p1
+%patch15 -p1
+%patch16 -p1
+%patch17 -p1
+%patch19 -p1
+%patch20 -p1
+%patch21 -p1
+%patch22 -p1
+%patch24 -p1
+%patch25 -p1
+%patch26 -p1
+%patch27 -p1
+%patch28 -p1
+%patch29 -p1
+%patch30 -p1
+%patch31 -p1
+# Firefox
+%patch101 -p1
+%patch102 -p1
+%endif
+
+%build
+%if !%{with only_print_mozconfig}
+# no need to add build time to binaries
+modified="$(sed -n '/^----/n;s/ - .*$//;p;q' "%{_sourcedir}/%{pkgname}.changes")"
+DATE="\"$(date -d "${modified}" "+%%b %%e %%Y")\""
+TIME="\"$(date -d "${modified}" "+%%R")\""
+find . -regex ".*\.c\|.*\.cpp\|.*\.h" -exec sed -i "s/__DATE__/${DATE}/g;s/__TIME__/${TIME}/g" {} +
+
+# SLE-12 provides python36, but that package does not provide a python3 binary
+%if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000
+sed -i "s/python3/python36/g" configure.in
+sed -i "s/python3/python36/g" mach
+export PYTHON3=/usr/bin/python36
+%endif
+
+# Webrender does not support big endian yet, so we are forcing it off
+# see: https://bugzilla.mozilla.org/show_bug.cgi?id=1716707
+%ifarch s390x ppc64
+echo 'pref("gfx.webrender.force-disabled", true);' >> %{SOURCE9}
+%endif
+
+#
+kdehelperversion=$(cat toolkit/xre/nsKDEUtils.cpp | grep '#define KMOZILLAHELPER_VERSION' | cut -d ' ' -f 3)
+if test "$kdehelperversion" != %{kde_helper_version}; then
+ echo fix kde helper version in the .spec file
+ exit 1
+fi
+
+source %{SOURCE4}
+%endif
+
+export CARGO_HOME=${RPM_BUILD_DIR}/%{srcname}-%{orig_version}/.cargo
+export MOZ_SOURCE_CHANGESET=$RELEASE_TAG
+export SOURCE_REPO=$RELEASE_REPO
+export source_repo=$RELEASE_REPO
+export MOZ_SOURCE_REPO=$RELEASE_REPO
+export MOZ_BUILD_DATE=$RELEASE_TIMESTAMP
+export MOZILLA_OFFICIAL=1
+export BUILD_OFFICIAL=1
+export MOZ_TELEMETRY_REPORTING=1
+export MACH_USE_SYSTEM_PYTHON=1
+%if 0%{?suse_version} <= 1320
+export CC=gcc-9
+%else
+%if 0%{?clang_build} == 0
+export CC=gcc
+export CXX=g++
+%endif
+%endif
+%ifarch %arm %ix86
+# Limit RAM usage during link
+export LDFLAGS="${LDFLAGS} -Wl,--no-keep-memory -Wl,--reduce-memory-overheads"
+%endif
+%if 0%{?build_hardened}
+export LDFLAGS="${LDFLAGS} -fPIC -Wl,-z,relro,-z,now"
+%endif
+%ifarch ppc64 ppc64le
+%if 0%{?clang_build} == 0
+export CFLAGS="$CFLAGS -mminimal-toc"
+%endif
+%endif
+export CXXFLAGS="$CFLAGS"
+export MOZCONFIG=$RPM_BUILD_DIR/mozconfig
+%if %{with only_print_mozconfig}
+echo "export CC=$CC"
+echo "export CXX=$CXX"
+echo "export CFLAGS=\"$CFLAGS\""
+echo "export CXXFLAGS=\"$CXXFLAGS\""
+echo "export LDFLAGS=\"$LDFLAGS\""
+echo "export RUSTFLAGS=\"$RUSTFLAGS\""
+echo "export CARGO_HOME=\"$CARGO_HOME\""
+echo "export PATH=\"$PATH\""
+echo "export LD_LIBRARY_PATH=\"$LD_LIBRARY_PATH\""
+echo "export PKG_CONFIG_PATH=\"$PKG_CONFIG_PATH\""
+echo "export MOZCONFIG=\"$MOZCONFIG\""
+echo "export MOZILLA_OFFICIAL=1"
+echo "export BUILD_OFFICIAL=1"
+echo "export MOZ_TELEMETRY_REPORTING=1"
+echo ""
+cat << EOF
+%else
+%ifarch aarch64 %arm ppc64 ppc64le
+%limit_build -m 2000
+%endif
+cat << EOF > $MOZCONFIG
+%endif
+mk_add_options MOZILLA_OFFICIAL=1
+mk_add_options BUILD_OFFICIAL=1
+mk_add_options MOZ_MAKE_FLAGS=%{?jobs:-j%jobs}
+mk_add_options MOZ_OBJDIR=@TOPSRCDIR@/../obj
+. \$topsrcdir/browser/config/mozconfig
+ac_add_options --disable-bootstrap
+ac_add_options --prefix=%{_prefix}
+ac_add_options --libdir=%{_libdir}
+ac_add_options --includedir=%{_includedir}
+ac_add_options --enable-release
+%if 0%{wayland_supported}
+ac_add_options --enable-default-toolkit=cairo-gtk3-wayland
+%else
+ac_add_options --enable-default-toolkit=cairo-gtk3
+%endif
+# bmo#1441155 - Disable the generation of Rust debug symbols on Linux32
+%ifarch %ix86 %arm
+ac_add_options --disable-debug-symbols
+%else
+ac_add_options --enable-debug-symbols
+%endif
+# building with elf-hack started to fail everywhere with FF73
+#%if 0%{?suse_version} > 1549
+%ifnarch aarch64 ppc64 ppc64le s390x
+ac_add_options --disable-elf-hack
+%endif
+#%endif
+ac_add_options --with-system-nspr
+ac_add_options --with-system-nss
+%if 0%{useccache} != 0
+ac_add_options --with-ccache
+%endif
+%if %{localize}
+ac_add_options --with-l10n-base=$RPM_BUILD_DIR/l10n
+%endif
+#ac_add_options --with-system-jpeg # libjpeg-turbo is used internally
+#ac_add_options --with-system-png # doesn't work because of missing APNG support
+ac_add_options --with-system-zlib
+ac_add_options --disable-updater
+ac_add_options --disable-tests
+ac_add_options --enable-alsa
+ac_add_options --disable-debug
+#ac_add_options --enable-chrome-format=jar
+ac_add_options --enable-update-channel=%{update_channel}
+ac_add_options --with-mozilla-api-keyfile=%{SOURCE18}
+# Google-service currently not available for free anymore
+#ac_add_options --with-google-location-service-api-keyfile=%{SOURCE19}
+ac_add_options --with-google-safebrowsing-api-keyfile=%{SOURCE19}
+ac_add_options --with-unsigned-addon-scopes=app
+ac_add_options --allow-addon-sideload
+%if %branding
+ac_add_options --enable-official-branding
+%endif
+ac_add_options --enable-libproxy
+%if ! %crashreporter
+ac_add_options --disable-crashreporter
+%endif
+%ifarch %arm
+ac_add_options --with-fpu=vfpv3-d16
+ac_add_options --with-float-abi=hard
+%ifarch armv6l armv6hl
+ac_add_options --with-arch=armv6
+%else
+ac_add_options --with-arch=armv7-a
+%endif
+%endif
+# mitigation/workaround for bmo#1512162
+%ifarch s390x
+ac_add_options --enable-optimize="-O1"
+%endif
+%ifarch x86_64
+# LTO needs newer toolchain stack only (at least GCC 8.2.1 (r268506)
+%if 0%{?suse_version} > 1500 && 0%{?suse_version} < 1550
+ac_add_options --enable-lto
+%if 0%{?do_profiling}
+ac_add_options MOZ_PGO=1
+%endif
+%endif
+%endif
+EOF
+%if !%{with only_print_mozconfig}
+%if 0%{useccache} != 0
+ccache -s
+%endif
+%if 0%{?do_profiling}
+xvfb-run --server-args="-screen 0 1920x1080x24" \
+%endif
+./mach build -v
+
+# build additional locales
+%if %localize
+truncate -s 0 %{_tmppath}/translations.{common,other}
+# langpack-build can not be done in parallel easily (see https://bugzilla.mozilla.org/show_bug.cgi?id=1660943)
+# Therefore, we have to have a separate obj-dir for each language
+# We do this, by creating a mozconfig-template with the necessary switches
+# and a placeholder obj-dir, which gets copied and modified for each language
+
+# Create mozconfig-template for langbuild
+cat << EOF > ${MOZCONFIG}_LANG
+mk_add_options MOZILLA_OFFICIAL=1
+mk_add_options BUILD_OFFICIAL=1
+mk_add_options MOZ_OBJDIR=@TOPSRCDIR@/../obj_LANG
+. \$topsrcdir/browser/config/mozconfig
+ac_add_options --prefix=%{_prefix}
+ac_add_options --with-l10n-base=$RPM_BUILD_DIR/l10n
+ac_add_options --disable-updater
+%if %branding
+ac_add_options --enable-official-branding
+%endif
+EOF
+
+%ifarch %ix86
+%define njobs 1
+%else
+%define njobs 0%{?jobs:%jobs}
+%endif
+mkdir -p $RPM_BUILD_DIR/langpacks_artifacts/
+sed -r '/^(ja-JP-mac|ga-IE|en-US|)$/d;s/ .*$//' $RPM_BUILD_DIR/%{srcname}-%{orig_version}/browser/locales/shipped-locales \
+ | xargs -n 1 %{?njobs:-P %njobs} -I {} /bin/sh -c '
+ locale=$1
+ cp ${MOZCONFIG}_LANG ${MOZCONFIG}_$locale
+ sed -i "s|obj_LANG|obj_$locale|" ${MOZCONFIG}_$locale
+ export MOZCONFIG=${MOZCONFIG}_$locale
+ # nsinstall is needed for langpack-build. It is already built by `./mach build`, but building it again is very fast
+ ./mach build config/nsinstall langpack-$locale
+ cp -L ../obj_$locale/dist/linux-*/xpi/firefox-%{orig_version}.$locale.langpack.xpi \
+ $RPM_BUILD_DIR/langpacks_artifacts/langpack-$locale@firefox.mozilla.org.xpi
+ # check against the fixed common list and sort into the right filelist
+ _matched=0
+ for _match in ar ca cs da de el en-GB es-AR es-CL es-ES fi fr hu it ja ko nb-NO nl pl pt-BR pt-PT ru sv-SE zh-CN zh-TW; do
+ [ "$_match" = "$locale" ] && _matched=1
+ done
+ [ $_matched -eq 1 ] && _l10ntarget=common || _l10ntarget=other
+ echo %{progdir}/browser/extensions/langpack-$locale@firefox.mozilla.org.xpi \
+ >> %{_tmppath}/translations.$_l10ntarget
+' -- {}
+%endif
+
+%if 0%{useccache} != 0
+ccache -s
+%endif
+%endif
+
+%install
+cd $RPM_BUILD_DIR/obj
+source %{SOURCE4}
+export MOZ_SOURCE_STAMP=$RELEASE_TAG
+export MOZ_SOURCE_REPO=$RELEASE_REPO
+# need to remove default en-US firefox-l10n.js before it gets
+# populated into browser's omni.ja; it only contains general.useragent.locale
+# which should be loaded from each language pack (set in firefox.js)
+rm dist/bin/browser/defaults/preferences/firefox-l10n.js
+make -C browser/installer STRIP=/bin/true MOZ_PKG_FATAL_WARNINGS=0
+#DEBUG (break the build if searchplugins are missing / temporary)
+grep amazondotcom dist/firefox/browser/omni.ja
+# copy tree into RPM_BUILD_ROOT
+mkdir -p %{buildroot}%{progdir}
+cp -rf $RPM_BUILD_DIR/obj/dist/%{srcname}/* %{buildroot}%{progdir}
+mkdir -p %{buildroot}%{progdir}/browser/extensions
+cp -rf $RPM_BUILD_DIR/langpacks_artifacts/* %{buildroot}%{progdir}/browser/extensions/
+mkdir -p %{buildroot}%{progdir}/distribution/extensions
+mkdir -p %{buildroot}%{progdir}/browser/defaults/preferences/
+# renaming executables (for regular vs. ESR)
+%if "%{srcname}" != "%{progname}"
+mv %{buildroot}%{progdir}/%{srcname} %{buildroot}%{progdir}/%{progname}
+mv %{buildroot}%{progdir}/%{srcname}-bin %{buildroot}%{progdir}/%{progname}-bin
+%endif
+# install gre prefs
+install -m 644 %{SOURCE13} %{buildroot}%{progdir}/defaults/pref/
+# install browser prefs
+install -m 644 %{SOURCE9} %{buildroot}%{progdir}/browser/defaults/preferences/firefox.js
+
+# remove some executable permissions
+find %{buildroot}%{progdir} \
+ -name "*.js" -o \
+ -name "*.jsm" -o \
+ -name "*.rdf" -o \
+ -name "*.properties" -o \
+ -name "*.dtd" -o \
+ -name "*.txt" -o \
+ -name "*.xml" -o \
+ -name "*.css" \
+ -exec chmod a-x {} +
+# remove mkdir.done files from installed base
+find %{buildroot}%{progdir} -type f -name ".mkdir.done" -delete
+# overwrite the mozilla start-script and link it to /usr/bin
+mkdir --parents %{buildroot}/usr/bin
+sed "s:%%PREFIX:%{_prefix}:g
+s:%%PROGDIR:%{progdir}:g
+s:%%APPNAME:%{progname}:g
+s:%%WAYLAND_SUPPORTED:%{wayland_supported}:g
+s:%%PROFILE:.mozilla/firefox:g" \
+ %{SOURCE3} > %{buildroot}%{progdir}/%{progname}.sh
+chmod 755 %{buildroot}%{progdir}/%{progname}.sh
+ln -sf ../..%{progdir}/%{progname}.sh %{buildroot}%{_bindir}/%{progname}
+# desktop file
+mkdir -p %{buildroot}%{_datadir}/applications
+sed "s:%%NAME:%{appname}:g
+s:%%EXEC:%{progname}:g
+s:%%ICON:%{progname}:g" \
+ %{SOURCE1} > %{buildroot}%{_datadir}/applications/%{desktop_file_name}.desktop
+%suse_update_desktop_file %{desktop_file_name} Network WebBrowser GTK
+# additional mime-types
+mkdir -p %{buildroot}%{_datadir}/mime/packages
+cp %{SOURCE8} %{buildroot}%{_datadir}/mime/packages/%{progname}.xml
+# appdata
+mkdir -p %{buildroot}%{_datadir}/metainfo
+sed "s:firefox.desktop:%{desktop_file_name}:g" \
+ %{SOURCE15} > %{buildroot}%{_datadir}/metainfo/%{desktop_file_name}.appdata.xml
+# install man-page
+mkdir -p %{buildroot}%{_mandir}/man1/
+cp %{SOURCE11} %{buildroot}%{_mandir}/man1/%{progname}.1
+# install GNOME Shell search provider
+mkdir -p %{buildroot}%{_datadir}/gnome-shell/search-providers
+cp %{SOURCE17} %{buildroot}%{_datadir}/gnome-shell/search-providers
+##########
+# ADDONS
+#
+mkdir -p %{buildroot}%{_datadir}/mozilla/extensions/%{firefox_appid}
+mkdir -p %{buildroot}%{_libdir}/mozilla/extensions/%{firefox_appid}
+# Install symbolic icon for GNOME
+%if %branding
+for size in 16 22 24 32 48 64 128 256; do
+%else
+for size in 16 32 48; do
+%endif
+ mkdir -p %{buildroot}%{gnome_dir}/share/icons/hicolor/${size}x${size}/apps/
+ cp %{buildroot}%{progdir}/browser/chrome/icons/default/default$size.png \
+ %{buildroot}%{gnome_dir}/share/icons/hicolor/${size}x${size}/apps/%{progname}.png
+done
+# excludes
+rm -f %{buildroot}%{progdir}/updater.ini
+rm -f %{buildroot}%{progdir}/removed-files
+rm -f %{buildroot}%{progdir}/README.txt
+rm -f %{buildroot}%{progdir}/old-homepage-default.properties
+rm -f %{buildroot}%{progdir}/run-mozilla.sh
+rm -f %{buildroot}%{progdir}/LICENSE
+rm -f %{buildroot}%{progdir}/precomplete
+rm -f %{buildroot}%{progdir}/update-settings.ini
+%if 0%{?devpkg}
+# devel
+mkdir -p %{buildroot}%{_bindir}
+install -m 755 %SOURCE12 %{buildroot}%{_bindir}
+# inspired by mandriva
+mkdir -p %{buildroot}%{_rpmmacrodir}
+cat <<'FIN' >%{buildroot}%{_rpmmacrodir}/macros.%{progname}
+# Macros from %{name} package
+%%firefox_major %{major}
+%%firefox_version %{version}
+%%firefox_mainver %{mainver}
+%%firefox_mozillapath %%{_libdir}/%{progname}
+%%firefox_pluginsdir %%{_libdir}/mozilla/plugins
+%%firefox_appid \{ec8030f7-c20a-464f-9b0e-13a3a9e97384\}
+%%firefox_extdir %%(if [ "%%_target_cpu" = "noarch" ]; then echo %%{_datadir}/mozilla/extensions/%%{firefox_appid}; else echo %%{_libdir}/mozilla/extensions/%%{firefox_appid}; fi)
+
+%%firefox_ext_install() \
+ extdir="%%{buildroot}%%{firefox_extdir}/`mozilla-get-app-id '%%1'`" \
+ mkdir -p "$extdir" \
+ %%{__unzip} -q -d "$extdir" "%%1" \
+ %%{nil}
+FIN
+%endif
+# fdupes
+%fdupes %{buildroot}%{progdir}
+%fdupes %{buildroot}%{_datadir}
+
+%clean
+rm -rf %{buildroot}
+%if %localize
+rm -rf %{_tmppath}/translations.*
+%endif
+
+%post
+# update mime and desktop database
+%mime_database_post
+%desktop_database_post
+%icon_theme_cache_post
+exit 0
+
+%postun
+%icon_theme_cache_postun
+%desktop_database_postun
+%mime_database_postun
+exit 0
+
+%files
+%defattr(-,root,root)
+%dir %{progdir}
+%dir %{progdir}/browser/
+%dir %{progdir}/browser/chrome/
+%{progdir}/browser/defaults
+%{progdir}/browser/features/
+%{progdir}/browser/chrome/icons
+%{progdir}/browser/omni.ja
+%dir %{progdir}/distribution/
+%{progdir}/distribution/extensions/
+%{progdir}/defaults/
+%{progdir}/gmp-clearkey/
+%attr(755,root,root) %{progdir}/%{progname}.sh
+%{progdir}/%{progname}
+%{progdir}/%{progname}-bin
+%{progdir}/application.ini
+%{progdir}/dependentlibs.list
+%{progdir}/*.so
+%{progdir}/omni.ja
+%{progdir}/fonts/
+%{progdir}/pingsender
+%{progdir}/platform.ini
+%{progdir}/plugin-container
+%if %crashreporter
+%{progdir}/crashreporter
+%{progdir}/crashreporter.ini
+%{progdir}/Throbber-small.gif
+%{progdir}/minidump-analyzer
+%{progdir}/browser/crashreporter-override.ini
+%endif
+%{_datadir}/applications/%{desktop_file_name}.desktop
+%{_datadir}/mime/packages/%{progname}.xml
+%dir %{_datadir}/gnome-shell
+%dir %{_datadir}/gnome-shell/search-providers
+%{_datadir}/gnome-shell/search-providers/*.ini
+%dir %{_datadir}/mozilla
+%dir %{_datadir}/mozilla/extensions
+%dir %{_datadir}/mozilla/extensions/%{firefox_appid}
+%dir %{_libdir}/mozilla
+%dir %{_libdir}/mozilla/extensions
+%dir %{_libdir}/mozilla/extensions/%{firefox_appid}
+%{gnome_dir}/share/icons/hicolor/
+%{_bindir}/%{progname}
+%doc %{_mandir}/man1/%{progname}.1.gz
+%{_datadir}/metainfo/
+
+%if 0%{?devpkg}
+%files devel
+%defattr(-,root,root)
+%{_bindir}/mozilla-get-app-id
+%{_rpmmacrodir}/macros.%{progname}
+%endif
+
+%if %localize
+%files translations-common -f %{_tmppath}/translations.common
+%defattr(-,root,root)
+%dir %{progdir}
+%dir %{progdir}/browser/extensions/
+
+%files translations-other -f %{_tmppath}/translations.other
+%defattr(-,root,root)
+%dir %{progdir}
+%dir %{progdir}/browser/extensions/
+%endif
+
+# this package does not need to provide files but is needed to fulfill
+# requirements if no other branding package is to be installed
+%files branding-upstream
+%defattr(-,root,root)
+%dir %{progdir}
+
+%changelog
--- a/MozillaFirefox/_constraints Mon Sep 06 12:03:54 2021 +0200
+++ b/MozillaFirefox/_constraints Fri Oct 01 12:00:20 2021 +0200
@@ -35,13 +35,13 @@
<hardware>
<processors>4</processors>
<disk>
- <size unit="G">30</size>
+ <size unit="G">36</size>
</disk>
<memoryperjob>
<size unit="M">1000</size>
</memoryperjob>
<physicalmemory>
- <size unit="G">9</size>
+ <size unit="G">12</size>
</physicalmemory>
</hardware>
</overwrite>
--- a/MozillaFirefox/firefox-esr.changes Mon Sep 06 12:03:54 2021 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,8551 +0,0 @@
--------------------------------------------------------------------
-Fri Sep 3 11:12:18 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- Mozilla Firefox 91.1.0 ESR
-- switched to ESR branch and renamed package accordingly
-- updated appdata
-- don't apply mozilla-disable-wasm-emulate-arm-unaligned-fp-access.patch
-- bring back mozilla-silence-no-return-type.patch and
- run post-build-checks everywhere again
-- add mozilla-bmo531915.patch to fix build on i586
-
--------------------------------------------------------------------
-Tue Aug 31 00:33:39 UTC 2021 - Atri Bhattacharya <badshah400@gmail.com>
-
-- Add mozilla-bmo1708709.patch: On [wayland] popup can be wrongly
- repositioned due to rounding errors when font scaling != 1
- (bmo#1708709); patch taken from upstream bug report and rebased
- to apply cleanly against current version.
-
--------------------------------------------------------------------
-Sun Aug 29 14:45:29 UTC 2021 - Martin Liška <mliska@suse.cz>
-
-- Bump using with GCC (tested locally).
-
--------------------------------------------------------------------
-Fri Aug 27 22:47:48 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de>
-
-- Mozilla Firefox 91.0.2:
- * Fixed: Firefox no longer clears authentication data when
- purging trackers, to avoid repeatedly prompting for a
- password (bmo#1721084)
-
--------------------------------------------------------------------
-Wed Aug 18 06:34:01 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- Mozilla Firefox 91.0.1
- * Fixed an issue causing buttons on the tab bar to be resized when
- loading certain websites (bmo#1704404)
- * Fixed an issue which caused tabs from private windows to be
- visible in non-private windows when viewing switch-to-tab results
- in the address bar panel (bmo#1720369)
- * Various stability fixes
- MFSA 2021-37 (bsc#1189547)
- * CVE-2021-29991 (bmo#1724896)
- Header Splitting possible with HTTP/3 Responses
-
--------------------------------------------------------------------
-Mon Aug 9 14:55:22 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- Mozilla Firefox 91.0
- MFSA 2021-33 (bsc#1188891)
- * CVE-2021-29986 (bmo#1696138)
- Race condition when resolving DNS names could have led to
- memory corruption
- * CVE-2021-29981 (bmo#1707774)
- Live range splitting could have led to conflicting
- assignments in the JIT
- * CVE-2021-29988 (bmo#1717922)
- Memory corruption as a result of incorrect style treatment
- * CVE-2021-29983 (bmo#1719088)
- Firefox for Android could get stuck in fullscreen mode
- * CVE-2021-29984 (bmo#1720031)
- Incorrect instruction reordering during JIT optimization
- * CVE-2021-29980 (bmo#1722204)
- Uninitialized memory in a canvas object could have led to
- memory corruption
- * CVE-2021-29987 (bmo#1716129)
- Users could have been tricked into accepting unwanted
- permissions on Linux
- * CVE-2021-29985 (bmo#1722083)
- Use-after-free media channels
- * CVE-2021-29982 (bmo#1715318)
- Single bit data leak due to incorrect JIT optimization and
- type confusion
- * CVE-2021-29989 (bmo#1662676, bmo#1666184, bmo#1719178,
- bmo#1719998, bmo#1720568)
- Memory safety bugs fixed in Firefox 91 and Firefox ESR 78.13
- * CVE-2021-29990 (bmo#1544190, bmo#1716481, bmo#1717778,
- bmo#1719319, bmo#1722073)
- Memory safety bugs fixed in Firefox 91
-- requires
- * rustc/cargo >= 1.51
- * NSPR >= 4.32
- * NSS >= 3.68
-- force-disable webrender on BE platforms
-
--------------------------------------------------------------------
-Sat Jul 24 07:15:54 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de>
-
-- Mozilla Firefox 90.0.2:
- * Changed: Updates to support DoH Canada rollout (bmo#1713036)
- * Fixed: Fixed truncated output when printing (bmo#1720621)
- * Fixed: Fixed menu styling on some Gtk themes (bmo#1720441,
- bmo#1720874)
-
--------------------------------------------------------------------
-Mon Jul 19 20:08:56 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de>
-
-- Mozilla Firefox 90.0.1 (boo#1188480):
- * Fixed: Fixed busy looping processing some HTTP3 responses
- (bmo#1720079)
- * Fixed: Fixed transient errors authenticating with some smart
- cards (bmo#1715325)
- * Fixed: Fixed a rare crash on shutdown (bmo#1707057)
- * Fixed: Fixed a race on startup that caused about:support to
- end up empty after upgrade (bmo#1717894, boo#1188330)
-
--------------------------------------------------------------------
-Sun Jul 11 08:53:02 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- Mozilla Firefox 90.0
- MFSA 2021-28 (bsc#1188275)
- * CVE-2021-29970 (bmo#1709976)
- Use-after-free in accessibility features of a document
- * CVE-2021-29971 (bmo#1713638)
- Granted permissions only compared host; omitting scheme and
- port on Android
- * CVE-2021-30547 (bmo#1715766)
- Out of bounds write in ANGLE
- * CVE-2021-29972 (bmo#1696816)
- Use of out-of-date library included use-after-free
- vulnerability
- * CVE-2021-29973 (bmo#1701932)
- Password autofill on HTTP websites was enabled without user
- interaction on Android
- * CVE-2021-29974 (bmo#1704843)
- HSTS errors could be overridden when network partitioning was
- enabled
- * CVE-2021-29975 (bmo#1713259)
- Text message could be overlaid on top of another website
- * CVE-2021-29976 (bmo#1700895, bmo#1703334, bmo#1706910,
- bmo#1711576, bmo#1714391)
- Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12
- * CVE-2021-29977 (bmo#1665836, bmo#1686138, bmo#1704316,
- bmo#1706314, bmo#1709931, bmo#1712084, bmo#1712357,
- bmo#1714066)
- Memory safety bugs fixed in Firefox 90
-- requires
- NSPR 4.31
- NSS 3.66
-- Gtk2 support removed (was only for Flash plugin before)
-
--------------------------------------------------------------------
-Wed Jun 23 16:54:20 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de>
-
-- Mozilla Firefox 89.0.2 (boo#1187648):
- * Fix occasional hangs with Software WebRender on Linux (bmo#1708224)
-
--------------------------------------------------------------------
-Sat Jun 19 09:00:20 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de>
-
-- Mozilla Firefox 89.0.1 (boo#1187475):
- * Updated translations, including full Spanish (Mexico)
- localization and other improvements (bmo#1714946)
- * Fix various font related regressions (bmo#1694174)
- * Linux: Fix performance and stability regressions with
- WebRender (bmo#1715895, bmo#1715902)
- * Enterprise: Fix for the `DisableDeveloperTools` policy not
- having effect anymore (bmo#1715777)
- * Linux: Fix broken scrollbars on some GTK themes (bmo#1714103)
- * Various stability fixes
-
--------------------------------------------------------------------
-Sat May 29 20:55:56 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- Mozilla Firefox 89.0
- * UI redesign
- * The Event Timing API is now supported
- * The CSS forced-colors media query is now supported
- MFSA 2021-23 (bsc#1186696)
- * CVE-2021-29965 (bmo#1709257)
- Password Manager on Firefox for Android susceptible to domain
- spoofing
- * CVE-2021-29960 (bmo#1675965)
- Filenames printed from private browsing mode incorrectly
- retained in preferences
- * CVE-2021-29961 (bmo#1700235)
- Firefox UI spoof using `<select>` elements and CSS scaling
- * CVE-2021-29963 (bmo#1705068)
- Shared cookies for search suggestions in private browsing mode
- * CVE-2021-29964 (bmo#1706501)
- Out of bounds-read when parsing a `WM_COPYDATA` message
- * CVE-2021-29959 (bmo#1395819)
- Devices could be re-enabled without additional permission prompt
- * CVE-2021-29962 (bmo#1701673)
- No rate-limiting for popups on Firefox for Android
- * CVE-2021-29967 (bmo#1602862, bmo#1703191, bmo#1703760,
- bmo#1704722, bmo#1706041)
- Memory safety bugs fixed in Firefox 89 and Firefox ESR 78.11
- * CVE-2021-29966 (bmo#1660307, bmo#1686154, bmo#1702948, bmo#1708124)
- Memory safety bugs fixed in Firefox 89
-- require
- NSS >= 3.64
- rust-cbindgen >= 0.19.0
-- do not rely on nodejs10 packagename anymore
-- updated mozilla.keyring
-- switched TW/x86_64 to clang as the last platform due to
- https://bugs.gentoo.org/792705
-- but LTO with clang is broken in TW so disable LTO for it
- https://bugs.llvm.org/show_bug.cgi?id=47872
-
--------------------------------------------------------------------
-Thu May 6 13:40:10 UTC 2021 - Guillaume GARDET <guillaume.gardet@opensuse.org>
-
-- Relax RAM and disk constraints for aarch64
-
--------------------------------------------------------------------
-Wed May 5 15:13:20 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de>
-
-- Mozilla Firefox 88.0.1
- * Fixed: Resolved an issue caused by a recent Widevine plugin
- update which prevented some purchased video content from
- playing correctly (bmo#1705138)
- * Fixed: Fixed corruption of videos playing on Twitter or
- WebRTC calls on some Gen6 Intel graphics chipsets
- (bmo#1708937)
- * Fixed: Fixed menulists in Preferences being unreadable for
- users with High Contrast Mode enabled (bmo#1706496)
- MFSA 2021-20 (bsc#1185633)
- * CVE-2021-29952 (bmo#1704227)
- Race condition in Web Render Components
-- devel package: move macros to /usr/lib/rpm/macros.d (boo#1185658)
-
--------------------------------------------------------------------
-Sun May 2 12:03:26 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- add compatibility for libavcodec58_134
-
--------------------------------------------------------------------
-Sun Apr 18 09:01:32 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- Mozilla Firefox 88.0
- * New: PDF forms now support JavaScript embedded in PDF files.
- Some PDF forms use JavaScript for validation and other
- interactive features
- * New: Print updates: Margin units are now localized
- * New: Smooth pinch-zooming using a touchpad is now supported
- on Linux
- * New: To protect against cross-site privacy leaks, Firefox now
- isolates window.name data to the website that created it.
- Learn more
- * Changed: Firefox will not prompt for access to your
- microphone or camera if you’ve already granted access to the
- same device on the same site in the same tab within the past
- 50 seconds. This new grace period reduces the number of times
- you’re prompted to grant device access
- * Changed: The ‘Take a Screenshot’ feature was removed from the
- Page Actions menu in the url bar. To take a screenshot,
- right-click to open the context menu. You can also add a
- screenshots shortcut directly to your toolbar via the
- Customize menu. Open the Firefox menu and select Customize…
- * Changed: FTP support has been disabled, and its full removal
- is planned for an upcoming release. Addressing this security
- risk reduces the likelihood of an attack while also removing
- support for a non-encrypted protocol
- * Developer: Introduced a new toggle button in the Network
- panel for switching between JSON formatted HTTP response and
- raw data (as received over the wire).
- !enter image description here
- * Enterprise: Various bug fixes and new policies have been
- implemented in the latest version of Firefox. You can see
- more details in the Firefox for Enterprise 88 Release Notes.
- * Fixed: Screen readers no longer incorrectly read content that
- websites have visually hidden, as in the case of articles in
- the Google Help panel
- MFSA 2021-16 (bsc#1184960)
- * CVE-2021-23994 (bmo#1699077)
- Out of bound write due to lazy initialization
- * CVE-2021-23995 (bmo#1699835)
- Use-after-free in Responsive Design Mode
- * CVE-2021-23996 (bmo#1701834)
- Content rendered outside of webpage viewport
- * CVE-2021-23997 (bmo#1701942)
- Use-after-free when freeing fonts from cache
- * CVE-2021-23998 (bmo#1667456)
- Secure Lock icon could have been spoofed
- * CVE-2021-23999 (bmo#1691153)
- Blob URLs may have been granted additional privileges
- * CVE-2021-24000 (bmo#1694698)
- requestPointerLock() could be applied to a tab different from
- the visible tab
- * CVE-2021-24001 (bmo#1694727)
- Testing code could have enabled session history manipulations
- by a compromised content process
- * CVE-2021-24002 (bmo#1702374)
- Arbitrary FTP command execution on FTP servers using an
- encoded URL
- * CVE-2021-29945 (bmo#1700690)
- Incorrect size computation in WebAssembly JIT could lead to
- null-reads
- * CVE-2021-29944 (bmo#1697604)
- HTML injection vulnerability in Firefox for Android's Reader View
- * CVE-2021-29946 (bmo#1698503)
- Port blocking could be bypassed
- * CVE-2021-29947 (bmo#1651449, bmo#1674142, bmo#1693476,
- bmo#1696886, bmo#1700091)
- Memory safety bugs fixed in Firefox 88
-- requires
- * NSPR 4.30
- * NSS 3.63.1
-- align wayland support logic
-
--------------------------------------------------------------------
-Sat Mar 27 10:40:46 UTC 2021 - Manfred Hollstein <manfred.h@gmx.net>
-
-- Switch to clang_build globally; just on TW/x86_64 it does not work
- due to unreolved externals `__rust_probestack' - disable clang_build
- then.
-- useccache: Add conditionals to enable/disable ccache.
-
--------------------------------------------------------------------
-Tue Mar 23 16:42:19 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- Mozilla Firefox 87.0
- * requires NSS 3.62
- * removed obsolete BigEndian ICU build workaround
- * rebased patches
- MFSA 2021-10 (bsc#1183942)
- * CVE-2021-23981 (bmo#1692832)
- Texture upload into an unbound backing buffer resulted in an
- out-of-bound read
- * CVE-2021-23982 (bmo#1677046)
- Internal network hosts could have been probed by a malicious
- webpage
- * CVE-2021-23983 (bmo#1692684)
- Transitions for invalid ::marker properties resulted in memory
- corruption
- * CVE-2021-23984 (bmo#1693664)
- Malicious extensions could have spoofed popup information
- * CVE-2021-23985 (bmo#1659129)
- Devtools remote debugging feature could have been enabled
- without indication to the user
- * CVE-2021-23986 (bmo#1692623)
- A malicious extension could have performed credential-less
- same origin policy violations
- * CVE-2021-23987 (bmo#1513519, bmo#1683439, bmo#1690169,
- bmo#1690718)
- Memory safety bugs fixed in Firefox 87 and Firefox ESR 78.9
- * CVE-2021-23988 (bmo#1684994, bmo#1686653)
- Memory safety bugs fixed in Firefox 87
-
--------------------------------------------------------------------
-Tue Mar 16 14:26:35 UTC 2021 - Martin Liška <mliska@suse.cz>
-
-- Set memory limits for DWZ to 4x.
-
--------------------------------------------------------------------
-Sat Mar 13 08:23:06 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de>
-
-- Mozilla Firefox 86.0.1
- * Fixed: Fixed an issue on Apple Silicon machines that caused
- Firefox to be unresponsive after system sleep (bmo#1682713)
- * Fixed: Fixed an issue causing windows to gain or lose focus
- unexpectedly (bmo#1694927)
- * Fixed: Fixed truncation of date and time widgets due to
- incorrect width calculation (bmo#1695578)
- * Fixed: Fixed an issue causing unexpected behavior with
- extensions managing tab groups (bmo#1694699)
- * Fixed: Fixed a frequent Linux crash on browser launch
- (bmo#1694670)
-
--------------------------------------------------------------------
-Sun Feb 21 18:14:12 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- Mozilla Firefox 86.0
- * requires NSS >= 3.61
- * requires rust-cbindgen >= 0.16.0
- * Firefox now supports simultaneously watching multiple videos in
- Picture-in-Picture.
- * Total Cookie Protection to Strict Mode
- * https://www.mozilla.org/en-US/firefox/86.0/releasenotes
- MSFA 2021-07 (bsc#1182614)
- * CVE-2021-23969 (bmo#1542194)
- Content Security Policy violation report could have contained
- the destination of a redirect
- * CVE-2021-23970 (bmo#1681724)
- Multithreaded WASM triggered assertions validating separation
- of script domains
- * CVE-2021-23968 (bmo#1687342)
- Content Security Policy violation report could have contained
- the destination of a redirect
- * CVE-2021-23974 (bmo#1528997, bmo#1683627)
- noscript elements could have led to an HTML Sanitizer bypass
- * CVE-2021-23971 (bmo#1678545)
- A website's Referrer-Policy could have been be overridden,
- potentially resulting in the full URL being sent as a Referrer
- * CVE-2021-23976 (bmo#1684627)
- Local spoofing of web manifests for arbitrary pages in
- Firefox for Android
- * CVE-2021-23977 (bmo#1684761)
- Malicious application could read sensitive data from Firefox
- for Android's application directories
- * CVE-2021-23972 (bmo#1683536)
- HTTP Auth phishing warning was omitted when a redirect is
- cached
- * CVE-2021-23975 (bmo#1685145)
- about:memory Measure function caused an incorrect pointer
- operation
- * CVE-2021-23973 (bmo#1690976)
- MediaError message property could have leaked information
- about cross-origin resources
- * CVE-2021-23978 (bmo#1682928, bmo#1687391, bmo#1687597, bmo#786797)
- Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8
- * CVE-2021-23979 (bmo#1663222, bmo#1666607, bmo#1672120, bmo#1678463,
- bmo#1678927, bmo#1679560, bmo#1681297, bmo#1681684, bmo#1683490,
- bmo#1684377, bmo#1684902)
- Memory safety bugs fixed in Firefox 86
-- updated create-tar.sh (bsc#1182357)
-- removed obsolete mozilla-bmo1554971.patch
-- remove buildsymbols subpackage
- * we haven't done anything with it for years
- * mozilla is collecting those from our debuginfo packages
- * would require a local dump_syms tool
-
--------------------------------------------------------------------
-Wed Feb 17 18:40:41 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de>
-
-- Mozilla Firefox 85.0.2
- * Fixed: Fixed a deadlock during startup (bmo#1679933)
-
--------------------------------------------------------------------
-Wed Feb 17 11:19:01 UTC 2021 - Michel Normand <normand@linux.vnet.ibm.com>
-
-- Use %limit_build macros for PowerPC to avoid oom build failure
-
--------------------------------------------------------------------
-Tue Feb 9 09:05:26 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de>
-
-- Mozilla Firefox 85.0.1
- MFSA 2021-06 (bsc#1181848)
- * MOZ-2021-0001 (bmo#1676636)
- Buffer overflow in depth pitch calculations for compressed
- textures
- * Fixed: Avoid printing an extra blank page at the end of some
- documents (bmo#1689789).
- * Fixed: Fixed a browser crash in case of unexpected Cache API
- state (bmo#1684838).
-
--------------------------------------------------------------------
-Sun Jan 24 11:53:58 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- Mozilla Firefox 85.0
- * Adobe Flash is completely history
- * supercookie protection
- * new bookmark handling and features
- MFSA 2021-03 (bsc#1181414)
- * CVE-2021-23953 (bmo#1683940)
- Cross-origin information leakage via redirected PDF requests
- * CVE-2021-23954 (bmo#1684020)
- Type confusion when using logical assignment operators in
- JavaScript switch statements
- * CVE-2021-23955 (bmo#1684837)
- Clickjacking across tabs through misusing requestPointerLock
- * CVE-2021-23956 (bmo#1338637)
- File picker dialog could have been used to disclose a
- complete directory
- * CVE-2021-23957 (bmo#1584582)
- Iframe sandbox could have been bypassed on Android via the
- intent URL scheme
- * CVE-2021-23958 (bmo#1642747)
- Screen sharing permission leaked across tabs
- * CVE-2021-23959 (bmo#1659035)
- Cross-Site Scripting in error pages on Firefox for Android
- * CVE-2021-23960 (bmo#1675755)
- Use-after-poison for incorrectly redeclared JavaScript
- variables during GC
- * CVE-2021-23961 (bmo#1677940)
- More internal network hosts could have been probed by a
- malicious webpage
- * CVE-2021-23962 (bmo#1677194)
- Use-after-poison in
- <code>nsTreeBodyFrame::RowCountChanged</code>
- * CVE-2021-23963 (bmo#1680793)
- Permission prompt inaccessible after asking for additional
- permissions
- * CVE-2021-23964 (bmo#1662507, bmo#1666285, bmo#1673526, bmo#1674278,
- bmo#1674835, bmo#1675097, bmo#1675844, bmo#1675868, bmo#1677590,
- bmo#1677888, bmo#1680410, bmo#1681268, bmo#1682068, bmo#1682938,
- bmo#1683736, bmo#1685260, bmo#1685925)
- Memory safety bugs fixed in Firefox 85 and Firefox ESR 78.7
- * CVE-2021-23965 (bmo#1670378, bmo#1673555, bmo#1676812, bmo#1678582,
- bmo#1684497)
- Memory safety bugs fixed in Firefox 85
-- requires NSS 3.60.1
-- requires rust 1.47
-- remove obsolete mozilla-pipewire-0-3.patch
-
--------------------------------------------------------------------
-Mon Jan 11 18:02:01 UTC 2021 - Matthias Mailänder <mailaender@opensuse.org>
-
-- Fix AppStream screenshot links
-
--------------------------------------------------------------------
-Thu Jan 7 17:11:43 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de>
-
-- Mozilla Firefox 84.0.2
- MFSA 2021-01 (bsc#1180623)
- * CVE-2020-16044 (bmo#1683964)
- Use-after-free write when handling a malicious COOKIE-ECHO
- SCTP chunk
-
--------------------------------------------------------------------
-Sun Dec 27 09:52:50 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- Mozilla Firefox 84.0.1
- * Fixed problems loading secure websites and crashes for users
- with certain third-party PKCS11 modules and smartcards installed
- (bmo#1682881) (fixed in NSS 3.59.1)
- * Fixed a bug causing some Unity JS games to not load on Apple
- Silicon devices due to improper detection of the OS version
- (bmo#1680516)
-- requires NSS 3.59.1
-
--------------------------------------------------------------------
-Sun Dec 13 18:18:58 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- Mozilla Firefox 84.0
- * Firefox 84 is the final release to support Adobe Flash
- * WebRender is enabled by default when run on GNOME-based X11
- Linux desktops
- MFSA 2020-54 (bsc#1180039))
- * CVE-2020-16042 (bmo#1679003)
- Operations on a BigInt could have caused uninitialized memory
- to be exposed
- * CVE-2020-26971 (bmo#1663466)
- Heap buffer overflow in WebGL
- * CVE-2020-26972 (bmo#1671382)
- Use-After-Free in WebGL
- * CVE-2020-26973 (bmo#1680084)
- CSS Sanitizer performed incorrect sanitization
- * CVE-2020-26974 (bmo#1681022)
- Incorrect cast of StyleGenericFlexBasis resulted in a heap
- use-after-free
- * CVE-2020-26975 (bmo#1661071)
- Malicious applications on Android could have induced Firefox
- for Android into sending arbitrary attacker-specified headers
- * CVE-2020-26976 (bmo#1674343)
- HTTPS pages could have been intercepted by a registered
- service worker when they should not have been
- * CVE-2020-26977 (bmo#1676311)
- URL spoofing via unresponsive port in Firefox for Android
- * CVE-2020-26978 (bmo#1677047)
- Internal network hosts could have been probed by a malicious
- webpage
- * CVE-2020-26979 (bmo#1641287, bmo#1673299)
- When entering an address in the address or search bars, a
- website could have redirected the user before they were
- navigated to the intended url
- * CVE-2020-35111 (bmo#1657916)
- The proxy.onRequest API did not catch view-source URLs
- * CVE-2020-35112 (bmo#1661365)
- Opening an extension-less download may have inadvertently
- launched an executable instead
- * CVE-2020-35113 (bmo#1664831, bmo#1673589)
- Memory safety bugs fixed in Firefox 84 and Firefox ESR 78.6
- * CVE-2020-35114 (bmo#1607449, bmo#1640416, bmo#1656459,
- bmo#1669914, bmo#1673567)
- Memory safety bugs fixed in Firefox 84
-- requires
- NSS >= 3.59
- rust >= 1.44
- rust-cbindgen >= 0.15.0
-- remove revert-795c8762b16b.patch and replace with mozilla-pgo.patch
-
--------------------------------------------------------------------
-Sat Nov 21 08:12:17 UTC 2020 - Kirill Kirillov <kkirill@opensuse.org>
-
-- Add/Enable GNOME search provider
-
--------------------------------------------------------------------
-Sun Nov 15 12:16:53 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- Mozilla Firefox 83.0
- * major update for SpiderMonkey improving performance significantly
- * optional HTTPS-Only mode
- * more improvements
- https://www.mozilla.org/en-US/firefox/83.0/releasenotes/
- MFSA 2020-50 (bsc#1178824))
- * CVE-2020-26951 (bmo#1667113)
- Parsing mismatches could confuse and bypass security
- sanitizer for chrome privileged code
- * CVE-2020-26952 (bmo#1667685)
- Out of memory handling of JITed, inlined functions could lead
- to a memory corruption
- * CVE-2020-16012 (bmo#1642028)
- Variable time processing of cross-origin images during
- drawImage calls
- * CVE-2020-26953 (bmo#1656741)
- Fullscreen could be enabled without displaying the security UI
- * CVE-2020-26954 (bmo#1657026)
- Local spoofing of web manifests for arbitrary pages in
- Firefox for Android
- * CVE-2020-26955 (bmo#1663261)
- Cookies set during file downloads are shared between normal
- and Private Browsing Mode in Firefox for Android
- * CVE-2020-26956 (bmo#1666300)
- XSS through paste (manual and clipboard API)
- * CVE-2020-26957 (bmo#1667179)
- OneCRL was not working in Firefox for Android
- * CVE-2020-26958 (bmo#1669355)
- Requests intercepted through ServiceWorkers lacked MIME type
- restrictions
- * CVE-2020-26959 (bmo#1669466)
- Use-after-free in WebRequestService
- * CVE-2020-26960 (bmo#1670358)
- Potential use-after-free in uses of nsTArray
- * CVE-2020-15999 (bmo#1672223)
- Heap buffer overflow in freetype
- * CVE-2020-26961 (bmo#1672528)
- DoH did not filter IPv4 mapped IP Addresses
- * CVE-2020-26962 (bmo#610997)
- Cross-origin iframes supported login autofill
- * CVE-2020-26963 (bmo#1314912)
- History and Location interfaces could have been used to hang
- the browser
- * CVE-2020-26964 (bmo#1658865)
- Firefox for Android's Remote Debugging via USB could have
- been abused by untrusted apps on older versions of Android
- * CVE-2020-26965 (bmo#1661617)
- Software keyboards may have remembered typed passwords
- * CVE-2020-26966 (bmo#1663571)
- Single-word search queries were also broadcast to local
- network
- * CVE-2020-26967 (bmo#1665820)
- Mutation Observers could break or confuse Firefox Screenshots
- feature
- * CVE-2020-26968 (bmo#1551615, bmo#1607762, bmo#1656697,
- bmo#1657739, bmo#1660236, bmo#1667912, bmo#1671479,
- bmo#1671923)
- Memory safety bugs fixed in Firefox 83 and Firefox ESR 78.5
- * CVE-2020-26969 (bmo#1623920, bmo#1651705, bmo#1667872,
- bmo#1668876)
- Memory safety bugs fixed in Firefox 83
-- requires
- NSS >= 3.58
- nodejs >= 10.22.1
-- removed obsolete mozilla-ppc-altivec_static_inline.patch
-- disable LTO on TW because of ICEs in gcc
-
--------------------------------------------------------------------
-Mon Nov 9 10:15:52 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- Mozilla Firefox 82.0.3
- MSFA 2020-49
- * CVE-2020-26950 (bmo#1675905)
- Write side effects in MCallGetProperty opcode not accounted for
-
--------------------------------------------------------------------
-Mon Nov 2 09:00:13 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- Mozilla Firefox 82.0.2
- * few bugfixes for introduced regressions
-
--------------------------------------------------------------------
-Sun Nov 1 20:15:17 UTC 2020 - Kirill Kirillov <kkirill@opensuse.org>
-
-- Enable GNOME search provider
-
--------------------------------------------------------------------
-Thu Oct 15 20:44:47 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- Mozilla Firefox 82.0
- * https://www.mozilla.org/en-US/firefox/82.0/releasenotes/
- MFSA 2020-45 (bsc#1177872)
- * CVE-2020-15969 (bmo#1666570)
- Use-after-free in usersctp
- * CVE-2020-15254 (bmo#1668514)
- Undefined behavior in bounded channel of crossbeam rust crate
- * CVE-2020-15680 (bmo#1658881)
- Presence of external protocol handlers could be determined
- through image tags
- * CVE-2020-15681 (bmo#1666568)
- Multiple WASM threads may have overwritten each others' stub
- table entries
- * CVE-2020-15682 (bmo#1636654)
- The domain associated with the prompt to open an external
- protocol could be spoofed to display the incorrect origin
- * CVE-2020-15683 (bmo#1576843, bmo#1656987, bmo#1660954,
- bmo#1662760, bmo#1663439, bmo#1666140)
- Memory safety bugs fixed in Firefox 82 and Firefox ESR 78.4
- * CVE-2020-15684 (bmo#1653764, bmo#1661402, bmo#1662259,
- bmo#1664257)
- Memory safety bugs fixed in Firefox 82
-- requires
- * NSPR 4.29
- * NSS 3.57
-
--------------------------------------------------------------------
-Thu Oct 1 20:00:27 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- Mozilla Firefox 81.0.1
- * https://www.mozilla.org/en-US/firefox/81.0.1/releasenotes/
-- remove obsolete python2 build requires
-
--------------------------------------------------------------------
-Wed Sep 30 18:49:10 UTC 2020 - Guillaume GARDET <guillaume.gardet@opensuse.org>
-
-- Increase disk requirements in _constraints to match current needs
-
--------------------------------------------------------------------
-Fri Sep 18 06:22:40 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- Mozilla Firefox 81.0
- * https://www.mozilla.org/en-US/firefox/81.0/releasenotes
- MFSA 2020-42 (bsc#1176756)
- * CVE-2020-15675 (bmo#1654211)
- Use-After-Free in WebGL
- * CVE-2020-15677 (bmo#1641487)
- Download origin spoofing via redirect
- * CVE-2020-15676 (bmo#1646140)
- XSS when pasting attacker-controlled data into a
- contenteditable element
- * CVE-2020-15678 (bmo#1660211)
- When recursing through layers while scrolling, an iterator
- may have become invalid, resulting in a potential use-after-
- free scenario
- * CVE-2020-15673 (bmo#1648493, bmo#1660800)
- Memory safety bugs fixed in Firefox 81 and Firefox ESR 78.3
- * CVE-2020-15674 (bmo#1656063, bmo#1656064, bmo#1656067, bmo#1660293)
- Memory safety bugs fixed in Firefox 81
-- requires
- NSPR 4.28
- NSS 3.56
-- removed obsolete patches
- * mozilla-system-nspr.patch
- * mozilla-bmo1661715.patch
- * mozilla-silence-no-return-type.patch
-- skip post-build-checks for 15.0 and 15.1
-- add revert-795c8762b16b.patch to fix LTO builds with gcc
- (related to bmo#1644409)
-- require python3-curses as workaround to fix i586 build
-
--------------------------------------------------------------------
-Thu Sep 17 11:45:31 UTC 2020 - Guillaume GARDET <guillaume.gardet@opensuse.org>
-
-- Use %limit_build macro again for aarch64 and armv7, instead of
- the new memoryperjob _constraints to use more workers
-
--------------------------------------------------------------------
-Sat Sep 5 17:43:26 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- add mozilla-bmo1661715.patch to fix Flash plugin
-
--------------------------------------------------------------------
-Wed Sep 2 17:11:19 UTC 2020 - Manfred Hollstein <manfred.h@gmx.net>
-
-- Mozilla Firefox 80.0.1: Bug fixes:
- * Fixed a performance regression when encountering new intermediate
- CA certificates (bmo#1661543)
- * Fixed crashes possibly related to GPU resets (bmo#1627616)
- * Fixed rendering on some sites using WebGL (bmo#1659225)
- * Fixed the zoom-in keyboard shortcut on Japanese language builds
- (bmo#1661895)
- * Fixed download issues related to extensions and cookies
- (bmo#1655190)
-- added mozilla-silence-no-return-type.patch
-
--------------------------------------------------------------------
-Tue Aug 25 19:30:15 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- more whitelisting (/dev/random) for sandbox in relation to FIPS
- (bsc#1174284)
-- improve langpack builds to use dedicated objdirs and make it
- parallel again
-
--------------------------------------------------------------------
-Sat Aug 22 06:52:01 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- Mozilla Firefox 80.0
- MFSA 2020-36 (bsc#1175686)
- * CVE-2020-15663 (bmo#1643199)
- Downgrade attack on the Mozilla Maintenance Service could
- have resulted in escalation of privilege
- * CVE-2020-15664 (bmo#1658214)
- Attacker-induced prompt for extension installation
- * CVE-2020-12401 (bmo#1631573)
- Timing-attack on ECDSA signature generation
- * CVE-2020-6829 (bmo#1631583)
- P-384 and P-521 vulnerable to an electro-magnetic side
- channel attack on signature generation
- * CVE-2020-12400 (bmo#1623116)
- P-384 and P-521 vulnerable to a side channel attack on
- modular inversion
- * CVE-2020-15665 (bmo#1651636)
- Address bar not reset when choosing to stay on a page after
- the beforeunload dialog is shown
- * CVE-2020-15666 (bmo#1450853)
- MediaError message property leaks cross-origin response
- status
- * CVE-2020-15667 (bmo#1653371)
- Heap overflow when processing an update file
- * CVE-2020-15668 (bmo#1651520)
- Data Race when reading certificate information
- * CVE-2020-15670 (bmo#1651001, bmo#1651449, bmo#1653626,
- bmo#1656957)
- Memory safety bugs fixed in Firefox 80 and Firefox ESR 78.2
-- requires
- * NSPR 4.27
- * NSS 3.55
-- added mozilla-system-nspr.patch (bmo#1661096)
-- exclude ga-IE locale as it's failing to build
-- rollback parallelize locale build because it breaks bookmarks
- (boo#1167976)
-- preserve original default bookmark file during langpack build
- (boo#1167976)
-- add some ccache output during build
-
--------------------------------------------------------------------
-Thu Aug 20 13:07:33 UTC 2020 - Martin Liška <mliska@suse.cz>
-
-- Use new memoryperjob _constraints instead of %limit_build macro.
-
--------------------------------------------------------------------
-Mon Aug 10 09:19:38 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- use ccache for build
-- replace versioned RPM deps with requires_ge
-- parallelize locale build
-
--------------------------------------------------------------------
-Thu Aug 6 14:37:16 UTC 2020 - Yunhe Guo <i@guoyunhe.me>
-
-- Change *.appdata.xml location to latest AppStream standard
-
--------------------------------------------------------------------
-Thu Jul 23 21:00:34 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- Mozilla Firefox 79.0
- MFSA 2020-30 (bsc#1174538)
- * CVE-2020-15652 (bmo#1634872)
- Potential leak of redirect targets when loading scripts in a worker
- * CVE-2020-6514 (bmo#1642792)
- WebRTC data channel leaks internal address to peer
- * CVE-2020-15655 (bmo#1645204)
- Extension APIs could be used to bypass Same-Origin Policy
- * CVE-2020-15653 (bmo#1521542)
- Bypassing iframe sandbox when allowing popups
- * CVE-2020-6463 (bmo#1635293)
- Use-after-free in ANGLE gl::Texture::onUnbindAsSamplerTexture
- * CVE-2020-15656 (bmo#1647293)
- Type confusion for special arguments in IonMonkey
- * CVE-2020-15658 (bmo#1637745)
- Overriding file type when saving to disk
- * CVE-2020-15657 (bmo#1644954)
- DLL hijacking due to incorrect loading path
- * CVE-2020-15654 (bmo#1648333)
- Custom cursor can overlay user interface
- * CVE-2020-15659 (bmo#1550133, bmo#1633880, bmo#1638856,
- bmo#1643613, bmo#1644839, bmo#1645835, bmo#1646006, bmo#1646220,
- bmo#1646787, bmo#1649347, bmo#1650811, bmo#1651678)
- Memory safety bugs fixed in Firefox 79
-- updated dependency requirements:
- * mozilla-nspr >= 4.26
- * mozilla-nss >= 3.54
- * rust >= 1.43
- * rust-cbindgen >= 0.14.3
-- removed obsolete patch
- mozilla-bmo1463035.patch
-
--------------------------------------------------------------------
-Tue Jul 21 21:31:20 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- fixed syntax issue in desktop file (boo#1174360)
-
--------------------------------------------------------------------
-Fri Jul 17 15:07:45 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- Add mozilla-libavcodec58_91.patch to link against updated
- soversion of libavcodec (58.91) with ffmpeg >= 4.3.
- (patch provided by Atri Bhattacharya <badshah400@gmail.com>
-- enable MOZ_USE_XINPUT2 for TW (again) (boo#1173320)
- (Plasma 5.19.3 is now in TW)
-
--------------------------------------------------------------------
-Sat Jul 11 11:08:06 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- Mozilla Firefox 78.0.2
- * Fixed an accessibility regression in reader mode (bmo#1650922)
- * Made the address bar more resilient to data corruption in the
- user profile (bmo#1649981)
- * Fixed a regression opening certain external applications (bmo#1650162)
- MFSA 2020-28
- * CVE pending (bmo#1644076)
- X-Frame-Options bypass using object or embed tags
-- added desktop file actions
-- do not use XINPUT2 for the moment until Plasma 5.19.3 has landed
- (boo#1173993)
-- rework langpack integration (boo#1173991)
- * ship XPIs instead of directories
- * allow addon sideloading
- * mark signatures for langpacks non-mandatory
- * do not autodisable user profile scopes
-- Google API key is not usable for geolocation service
-- fix pipewire support for TW (boo#1172903)
-
--------------------------------------------------------------------
-Wed Jul 1 07:15:02 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- Mozilla Firefox 78.0.1
- * Fixed an issue which could cause installed search engines to not
- be visible when upgrading from a previous release.
-- enable MOZ_USE_XINPUT2 for TW (boo#1173320)
-
--------------------------------------------------------------------
-Sun Jun 28 07:17:13 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- Mozilla Firefox 78.0
- * startup notifications now using Gtk instead of libnotify
- * PDF downloads now show an option to open the PDF directly in Firefox
- * Protections Dashboard (about:protections)
- * WebRTC not interrupted by screensaver anymore
- * disabled TLS 1.0 and 1.1 by default
- MFSA 2020-24 (bsc#1173576)
- * CVE-2020-12415 (bmo#1586630)
- AppCache manifest poisoning due to url encoded character processing
- * CVE-2020-12416 (bmo#1639734)
- Use-after-free in WebRTC VideoBroadcaster
- * CVE-2020-12417 (bmo#1640737)
- Memory corruption due to missing sign-extension for ValueTags
- on ARM64
- * CVE-2020-12418 (bmo#1641303)
- Information disclosure due to manipulated URL object
- * CVE-2020-12419 (bmo#1643874)
- Use-after-free in nsGlobalWindowInner
- * CVE-2020-12420 (bmo#1643437)
- Use-After-Free when trying to connect to a STUN server
- * CVE-2020-12402 (bmo#1631597)
- RSA Key Generation vulnerable to side-channel attack
- * CVE-2020-12421 (bmo#1308251)
- Add-On updates did not respect the same certificate trust
- rules as software updates
- * CVE-2020-12422 (bmo#1450353)
- Integer overflow in nsJPEGEncoder::emptyOutputBuffer
- * CVE-2020-12423 (bmo#1642400)
- DLL Hijacking due to searching %PATH% for a library
- * CVE-2020-12424 (bmo#1562600)
- WebRTC permission prompt could have been bypassed by a
- compromised content process
- * CVE-2020-12425 (bmo#1634738)
- Out of bound read in Date.parse()
- * CVE-2020-12426 (bmo#1608068, bmo#1609951, bmo#1631187, bmo#1637682)
- Memory safety bugs fixed in Firefox 78
-- requires
- * NSS >= 3.53.1
- * nodejs >= 10.21
- * Gtk+3 >= 3.14
-- removed obsolete patches
- * mozilla-s390-bigendian.patch
- * mozilla-bmo1634646.patch
-- Add mozilla-pipewire-0-3.patch for openSUSE >= 15.2 to build
- WebRTC with pipewire support to enable screen sharing under
- Wayland; also add BuildRequires: pkgconfig(libpipewire-0.3)
- appropriately (boo#1172903).
-- adding SLE12 compatibility in spec file
-- add patches for s390x
- * mozilla-bmo1602730.patch (bmo#1602730)
- * mozilla-bmo1626236.patch (bmo#1626236)
- * mozilla-bmo998749.patch (bmo#998749)
- * mozilla-s390x-skia-gradient.patch
-- update create-tar.sh
-- Use same _constraints for ppc64 (BE) as ppc64le to avoid oom build failure
-
--------------------------------------------------------------------
-Wed Jun 10 07:17:15 UTC 2020 - Guillaume GARDET <guillaume.gardet@opensuse.org>
-
-- Exclude armv6, since it is unbuildable since about 3 years
-
--------------------------------------------------------------------
-Wed Jun 3 21:39:11 UTC 2020 - Andreas Stieger <andreas.stieger@gmx.de>
-
-- Mozilla Firefox 77.0.1
- * Disable automatic selection of DNS over HTTPS providers during
- a test to enable wider deployment in a more controlled way
- (bmo#1642723)
-
--------------------------------------------------------------------
-Fri May 29 11:49:36 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- Mozilla Firefox 77.0
- * view and manage web certificates more easily on the new
- about:certificate page
- * improvements in accessibility
- * significant improvements to JavaScript debugging
- MFSA 2020-20 (bsc#1172402)
- * CVE-2020-12399 (bmo#1631576)
- Timing attack on DSA signatures in NSS library
- (fixed with external NSS >= 3.52.1)
- * CVE-2020-12405 (bmo#1631618)
- Use-after-free in SharedWorkerService
- * CVE-2020-12406 (bmo#1639590)
- JavaScript type confusion with NativeTypes
- * CVE-2020-12407 (bmo#1637112)
- WebRender leaking GPU memory when using border-image CSS
- directive
- * CVE-2020-12408 (bmo#1623888)
- URL spoofing when using IP addresses
- * CVE-2020-12409 (bmo#1619305, bmo#1632717)
- Memory safety bugs fixed in Firefox 77 and Firefox ESR 68.9
- * CVE-2020-12411 (bmo#1620972, bmo#1625333)
- Memory safety bugs fixed in Firefox 77
-- requires
- * NSS >= 3.52.1
- * rust-cbindgen >= 1.14.1
- * clang >= 5
-- added mozilla-bmo1634646.patch as part of fixing PGO build
- (still not working)
-
--------------------------------------------------------------------
-Wed May 13 12:21:13 UTC 2020 - Michel Normand <normand@linux.vnet.ibm.com>
-
-- change again _constraints for ppc64le use <physicalmemory>
- and increase limit_build in spec file to reduce max_jobs.
-
--------------------------------------------------------------------
-Sat May 9 11:45:39 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- Mozilla Firefox 76.0.1
- * Fixed a bug causing some add-ons such as Amazon Assistant to see
- multiple onConnect events, impairing functionality (bmo#1635637)
-
--------------------------------------------------------------------
-Fri May 1 11:59:58 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- Mozilla Firefox 76.0
- * Lockwise improvements
- * Improvements in Picture-in-Picture feature
- * Support Audio Worklets
- MFSA-2020-16 (bsc#1171186)
- * CVE-2020-12387 (bmo#1545345)
- Use-after-free during worker shutdown
- * CVE-2020-12388 (bmo#1618911)
- Sandbox escape with improperly guarded Access Tokens
- * CVE-2020-12389 (bmo#1554110)
- Sandbox escape with improperly separated process types
- * CVE-2020-6831 (bmo#1632241)
- Buffer overflow in SCTP chunk input validation
- * CVE-2020-12390 (bmo#1141959)
- Incorrect serialization of nsIPrincipal.origin for IPv6 addresses
- * CVE-2020-12391 (bmo#1457100)
- Content-Security-Policy bypass using object elements
- * CVE-2020-12392 (bmo#1614468)
- Arbitrary local file access with 'Copy as cURL'
- * CVE-2020-12393 (bmo#1615471)
- Devtools' 'Copy as cURL' feature did not fully escape
- website-controlled data, potentially leading to command injection
- * CVE-2020-12394 (bmo#1628288)
- URL spoofing in location bar when unfocussed
- * CVE-2020-12395 (bmo#1595886, bmo#1611482, bmo#1614704, bmo#1624098,
- bmo#1625749, bmo#1626382, bmo#1628076, bmo#1631508)
- Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8
- * CVE-2020-12396 (bmo#1339601, bmo#1611938, bmo#1620488,
- bmo#1622291, bmo#1627644)
- Memory safety bugs fixed in Firefox 76
-- requires
- * NSS >= 3.51.1
- * nasm >= 2.14
-- removed obsolete patch mozilla-bmo1622013.patch
-- fix URI creation for KDE file selector integration (boo#1160331)
-
--------------------------------------------------------------------
-Tue Apr 7 12:18:27 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- Mozilla Firefox 75.0
- * https://www.mozilla.org/en-US/firefox/75.0/releasenotes
- MFSA 2020-12 (bsc#1168874)
- * CVE-2020-6821 (bmo#1625404)
- Uninitialized memory could be read when using the WebGL
- copyTexSubImage method
- * CVE-2020-6822 (bmo#1544181)
- Out of bounds write in GMPDecodeData when processing large images
- * CVE-2020-6823 (bmo#1614919)
- Malicious Extension could obtain auth codes from OAuth login flows
- * CVE-2020-6824 (bmo#1621853)
- Generated passwords may be identical on the same site between
- separate private browsing sessions
- * CVE-2020-6825 (bmo#1572541,bmo#1620193,bmo#1620203)
- Memory safety bugs fixed in Firefox 75 and Firefox ESR 68.7
- * CVE-2020-6826 (bmo#1613009,bmo#1613195,bmo#1616734,bmo#1617488,
- bmo#1619229,bmo#1620719,bmo#1624897)
- Memory safety bugs fixed in Firefox 75
-- removed obsolete patch
- mozilla-bmo1609538.patch
-- requires
- * rust >= 1.41
- * rust-cbindgen >= 0.13.1
- * mozilla-nss >= 3.51
- * nodejs10 >= 10.19
-- fix build issue in libvpx for i586 via mozilla-bmo1622013.patch
-
--------------------------------------------------------------------
-Mon Apr 6 11:19:24 UTC 2020 - Michel Normand <normand@linux.vnet.ibm.com>
-
-- increase _constraints memory for ppc64le
-
--------------------------------------------------------------------
-Fri Apr 3 15:23:28 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- Mozilla Firefox 74.0.1
- MFSA 2020-11 (boo#1168630)
- * CVE-2020-6819 (bmo#1620818)
- Use-after-free while running the nsDocShell destructor
- * CVE-2020-6820 (bmo#1626728)
- Use-after-free when handling a ReadableStream
-
--------------------------------------------------------------------
-Wed Mar 25 07:30:39 UTC 2020 - Marcus Meissner <meissner@suse.com>
-
-- mozilla-sandbox-fips.patch: allow /proc/sys/crypto/fips_enabled
- to be read, as openssl 1.1.1 FIPS aborts if it cannot access it
- (bsc#1167132)
-
--------------------------------------------------------------------
-Sat Mar 7 08:51:06 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- Mozilla Firefox 74.0
- * https://www.mozilla.org/en-US/firefox/74.0/releasenotes/
- MFSA 2020-08 (bsc#1166238)
- * CVE-2020-6805 (bmo#1610880)
- Use-after-free when removing data about origins
- * CVE-2020-6806 (bmo#1612308)
- BodyStream::OnInputStreamReady was missing protections against
- state confusion
- * CVE-2020-6807 (bmo#1614971)
- Use-after-free in cubeb during stream destruction
- * CVE-2020-6808 (bmo#1247968)
- URL Spoofing via javascript: URL
- * CVE-2020-6809 (bmo#1420296)
- Web Extensions with the all-urls permission could access local
- files
- * CVE-2020-6810 (bmo#1432856)
- Focusing a popup while in fullscreen could have obscured the
- fullscreen notification
- * CVE-2020-6811 (bmo#1607742)
- Devtools' 'Copy as cURL' feature did not fully escape
- website-controlled data, potentially leading to command injection
- * CVE-2019-20503 (bmo#1613765)
- Out of bounds reads in sctp_load_addresses_from_init
- * CVE-2020-6812 (bmo#1616661)
- The names of AirPods with personally identifiable information
- were exposed to websites with camera or microphone permission
- * CVE-2020-6813 (bmo#1605814)
- @import statements in CSS could bypass the Content Security
- Policy nonce feature
- * CVE-2020-6814 (bmo#1592078,bmo#1604847,bmo#1608256,bmo#1612636,
- bmo#1614339)
- Memory safety bugs fixed in Firefox 74 and Firefox ESR 68.6
- * CVE-2020-6815 (bmo#1181957,bmo#1557732,bmo#1557739,bmo#1611457,
- bmo#1612431)
- Memory and script safety bugs fixed in Firefox 74
-- requires
- * NSPR 4.25
- * NSS 3.50
- * rust-cbindgen 0.13.0
-- removed obsolete patches
- mozilla-bmo1610814.patch
- mozilla-cubeb-noreturn.patch
-- add mozilla-bmo1609538.patch to fix wayland issues with mutter 3.36
- (bmo#1609538, boo#1166471)
-
--------------------------------------------------------------------
-Wed Feb 26 08:12:00 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- big endian fixes
-
--------------------------------------------------------------------
-Tue Feb 25 14:17:00 UTC 2020 - Guillaume GARDET <guillaume.gardet@opensuse.org>
-
-- Fix build on aarch64/armv7 with:
- * mozilla-bmo1610814.patch (boo#1164845, bmo#1610814)
-
--------------------------------------------------------------------
-Thu Feb 20 13:40:59 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- Mozilla Firefox 73.0.1
- * Resolved problems connecting to the RBC Royal Bank website
- (bmo#1613943)
- * Fixed Firefox unexpectedly exiting when leaving Print Preview mode
- (bmo#1611133)
- * Fixed crashes when playing encrypted content on some Linux systems
- (bmo#1614535, boo#1164646)
-- start in wayland mode when running under wayland session
-
--------------------------------------------------------------------
-Sun Feb 9 07:45:00 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- Mozilla Firefox 73.0
- * Added support for setting a default zoom level applicable for all
- web content
- * High-contrast mode has been updated to allow background images
- * Improved audio quality when playing back audio at a faster or
- slower speed
- * Added NextDNS as alternative option for DNS over HTTPS
- MFSA 2020-05 (bsc#1163368)
- * CVE-2020-6796 (bmo#1610426)
- Missing bounds check on shared memory read in the parent process
- * CVE-2020-6797 (bmo#1596668) (MacOS X only)
- Extensions granted downloads.open permission could open arbitrary
- applications on Mac OSX
- * CVE-2020-6798 (bmo#1602944)
- Incorrect parsing of template tag could result in JavaScript injection
- * CVE-2020-6799 (bmo#1606596) (Windows only)
- Arbitrary code execution when opening pdf links from other
- applications, when Firefox is configured as default pdf reader
- * CVE-2020-6800 (bmo#1595786,bmo#1596706,bmo#1598543,bmo#1604851,
- bmo#1608580,bmo#1608785,bmo#1605777)
- Memory safety bugs fixed in Firefox 73 and Firefox ESR 68.5
- * CVE-2020-6801 (bmo#1601024,bmo#1601712,bmo#1604836,bmo#1606492)
- Memory safety bugs fixed in Firefox 73
-- updated requirements
- * rust >= 1.39
- * NSS >= 3.49.2
- * rust-cbindgen >= 0.12.0
-- rebased patches
-- removed obsolete patch
- * mozilla-bmo1601707.patch
-- switched to cairo-gtk3-wayland build
- (to fully enable wayland MOZ_ENABLE_WAYLAND=1 needs to be set)
-- disabled elfhack due to failing packager
- https://github.com/openSUSE/firefox-maintenance/issues/28
-- disabled PGO due to build failure
- https://github.com/openSUSE/firefox-maintenance/issues/29
-
--------------------------------------------------------------------
-Tue Jan 28 07:30:16 UTC 2020 - Stasiek Michalski <stasiek@michalski.cc>
-
-- Use a symbolic icon from branding internals
-- Pixmaps no longer required for the desktops
-
--------------------------------------------------------------------
-Wed Jan 22 10:30:21 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- Mozilla Firefox 72.0.2
- * Various stability fixes
- * Fixed issues opening files with spaces in their path (bmo#1601905)
- * Fixed a hang opening about:logins when a master password is set
- (bmo#1606992)
- * Fixed a web compatibility issue with CSS Shadow Parts which
- shipped in Firefox 72 (bmo#1604989)
- * Fixed inconsistent playback performance for fullscreen 1080p
- videos on some systems (bmo#1608485)
-
--------------------------------------------------------------------
-Tue Jan 21 12:59:54 UTC 2020 - Guillaume GARDET <guillaume.gardet@opensuse.org>
-
-- Fix build for aarch64/ppc64le (do not update config.sub file
- for libbacktrace)
-
--------------------------------------------------------------------
-Wed Jan 8 08:19:12 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- Mozilla Firefox 72.0.1
- MFSA 2020-03 (bsc#1160498)
- * CVE-2019-17026 (bmo#1607443)
- IonMonkey type confusion with StoreElementHole and FallibleStoreElement
-- Mozilla Firefox 72.0
- * block fingerprinting scripts by default
- * new notification pop-ups
- * Picture-in-picture video
- MFSA 2020-01 (bsc#1160305)
- * CVE-2019-17016 (bmo#1599181)
- Bypass of @namespace CSS sanitization during pasting
- * CVE-2019-17017 (bmo#1603055)
- Type Confusion in XPCVariant.cpp
- * CVE-2019-17020 (bmo#1597645)
- Content Security Policy not applied to XSL stylesheets applied
- to XML documents
- * CVE-2019-17022 (bmo#1602843)
- CSS sanitization does not escape HTML tags
- * CVE-2019-17023 (bmo#1590001) (fixed in NSS FIXME)
- NSS may negotiate TLS 1.2 or below after a TLS 1.3
- HelloRetryRequest had been sent
- * CVE-2019-17024 (bmo#1507180,bmo#1595470,bmo#1598605,bmo#1601826)
- Memory safety bugs fixed in Firefox 72 and Firefox ESR 68.4
- * CVE-2019-17025 (bmo#1328295,bmo#1328300,bmo#1590447,bmo#1590965
- bmo#1595692,bmo#1597321,bmo#1597481)
- Memory safety bugs fixed in Firefox 72
-- update create-tar.sh to skip compare-locales
-- requires NSPR 4.24 and NSS 3.48
-- removed usage of browser-plugins convention for NPAPI plugins
- from start wrapper and changed the RPM macro to the
- /usr/$LIB/mozilla/plugins location (boo#1160302)
-
--------------------------------------------------------------------
-Mon Dec 2 08:24:05 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- Mozilla Firefox 71.0
- * Improvements to Lockwise, our integrated password manager
- * More information about Enhanced Tracking Protection in action
- * Native MP3 decoding on Windows, Linux, and macOS
- * Configuration page (about:config) reimplemented in HTML
- * New kiosk mode functionality, which allows maximum screen space
- for customer-facing displays
- MFSA 2019-36
- * CVE-2019-11756 (bmo#1508776)
- Use-after-free of SFTKSession object
- * CVE-2019-17008 (bmo#1546331)
- Use-after-free in worker destruction
- * CVE-2019-13722 (bmo#1580156) (Windows only)
- Stack corruption due to incorrect number of arguments in WebRTC code
- * CVE-2019-17014 (bmo#1322864)
- Dragging and dropping a cross-origin resource, incorrectly loaded
- as an image, could result in information disclosure
- * CVE-2019-17010 (bmo#1581084)
- Use-after-free when performing device orientation checks
- * CVE-2019-17005 (bmo#1584170)
- Buffer overflow in plain text serializer
- * CVE-2019-17011 (bmo#1591334)
- Use-after-free when retrieving a document in antitracking
- * CVE-2019-17012 (bmo#1449736, bmo#1533957, bmo#1560667, bmo#1567209
- bmo#1580288, bmo#1585760, bmo#1592502)
- Memory safety bugs fixed in Firefox 71 and Firefox ESR 68.3
- * CVE-2019-17013 (bmo#1298509, bmo#1472328, bmo#1577439, bmo#1577937
- bmo#1580320, bmo#1584195, bmo#1585106, bmo#1586293, bmo#1593865
- bmo#1594181)
- Memory safety bugs fixed in Firefox 71
-- requires
- NSPR >= 4.23
- NSS >= 3.47.1
- rust/cargo >= 1.37
-- reactivate webrtc for platforms where it was disabled
-- updated create-tar.sh to cover buildid and origin repo information
- -> removed obsolete source-stamp.txt
-- removed obsolete patches
- mozilla-bmo1511604.patch
- mozilla-openaes-decl.patch
-- changed locale building procedure
- * removed obsolete compare-locales.tar.xz
-- added mozilla-bmo1601707.patch to fix gcc/LTO builds
- (bmo#1601707, boo#1158466)
-- added mozilla-bmo849632.patch to fix big endian issues in skia
- used for WebGL
-
--------------------------------------------------------------------
-Fri Nov 1 14:16:39 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- Mozilla Firefox 70.0.1
- * Fix for an issue that caused some websites or page elements using
- dynamic JavaScript to fail to load. (bmo#1592136)
- * Title bar no longer shows in full screen view (bmo#1588747)
-- added mozilla-bmo1504834-part4.patch to fix some visual issues on
- big endian platforms
-
--------------------------------------------------------------------
-Sun Oct 20 20:19:31 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- Mozilla Firefox 70.0
- * more privacy protections from Enhanced Tracking Protection
- * Firefox Lockwise passwordmanager
- * Improvements to core engine components, for better browsing on more sites
- * Improved privacy and security indicators
- MFSA 2019-34
- * CVE-2018-6156 (bmo#1480088)
- Heap buffer overflow in FEC processing in WebRTC
- * CVE-2019-15903 (bmo#1584907)
- Heap overflow in expat library in XML_GetCurrentLineNumber
- * CVE-2019-11757 (bmo#1577107)
- Use-after-free when creating index updates in IndexedDB
- * CVE-2019-11759 (bmo#1577953)
- Stack buffer overflow in HKDF output
- * CVE-2019-11760 (bmo#1577719)
- Stack buffer overflow in WebRTC networking
- * CVE-2019-11761 (bmo#1561502)
- Unintended access to a privileged JSONView object
- * CVE-2019-11762 (bmo#1582857)
- document.domain-based origin isolation has same-origin-property violation
- * CVE-2019-11763 (bmo#1584216)
- Incorrect HTML parsing results in XSS bypass technique
- * CVE-2019-11765 (bmo#1562582)
- Incorrect permissions could be granted to a website
- * CVE-2019-17000 (bmo#1441468)
- CSP bypass using object tag with data: URI
- * CVE-2019-17001 (bmo#1587976)
- CSP bypass using object tag when script-src 'none' is specified
- * CVE-2019-17002 (bmo#1561056)
- upgrade-insecure-requests was not being honored for links dragged and dropped
- * CVE-2019-11764 (bmo#1558522, bmo#1577061, bmo#1548044, bmo#1571223,
- bmo#1573048, bmo#1578933, bmo#1575217, bmo#1583684, bmo#1586845, bmo#1581950,
- bmo#1583463, bmo#1586599)
- Memory safety bugs fixed in Firefox 70 and Firefox ESR 68.2
-- requires
- rust/cargo >= 1.36
- NSPR >= 4.22
- NSS >= 3.46.1
- rust-cbindgen >= 0.9.1
-- removed obsolete patches
- mozilla-bmo1573381.patch
- mozilla-nestegg-big-endian.patch
-
--------------------------------------------------------------------
-Sun Oct 13 08:58:12 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- Mozilla Firefox 69.0.3
- * Fixed Yahoo mail users being prompted to download files when
- clicking on emails (bmo#1582848)
-- devel package build can easily be disabled now
-
--------------------------------------------------------------------
-Thu Oct 3 08:40:05 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- Mozilla Firefox 69.0.2
- * Fixed a crash when editing files on Office 365 websites (bmo#1579858)
- * Fixed a Linux-only crash when changing the playback speed while
- watching YouTube videos (bmo#1582222)
-- updated supported locale list
-- Allow to build without profile guided optimizations (boo#1040589)
- (contributed by Bernhard Wiedemann)
-- Make build verbose (contributed by Martin Liška)
-- remove obsolete kde.js setting (boo#1151186) and related patch
- firefox-add-kde.js-in-order-to-survive-PGO-build.patch
-- update create-tar.sh to latest revision and adjusted tar_stamps
-- add mozilla-fix-top-level-asm.patch to fix LTO build (w/o PGO)
-- extension preferences moved from branding package to core package
- (packaging but not branding specific)
-
--------------------------------------------------------------------
-Thu Sep 19 13:31:16 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- Mozilla Firefox 69.0.1
- * Fixed external programs launching in the background when clicking
- a link from inside Firefox to launch them (bmo#1570845)
- * Usability improvements to the Add-ons Manager for users with
- screen readers (bmo#1567600)
- * Fixed the Captive Portal notification bar not being dismissable
- in some situations after login is complete (bmo#1578633)
- * Fixed the maximum size of fonts in Reader Mode when zoomed (bmo#1578454)
- * Fixed missing stacks in the Developer Tools Performance section
- (bmo#1578354)
- MFSA 2019-31
- * CVE-2019-11754 (bmo#1580506)
- Pointer Lock is enabled with no user notification
-- disable DOH by default
-
--------------------------------------------------------------------
-Thu Sep 5 13:02:39 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- Mozilla Firefox 69.0
- * Enhanced Tracking Protection (ETP) for stronger privacy protections
- * Block Autoplay feature is enhanced to give users the option to block
- any video
- * Users in the US or using the en-US browser, can get a new “New Tab”
- page experience connecting to the best of Pocket's content.
- * Support for the Web Authentication HmacSecret extension via
- Windows Hello introduced.
- * Support for receiving multiple video codecs with this release makes
- it easier for WebRTC conferencing services to mix video from
- different clients.
- MFSA 2019-25 (boo#1149324)
- * CVE-2019-11741 (bmo#1539595)
- Isolate addons.mozilla.org and accounts.firefox.com
- * CVE-2019-5849 (bmo#1555838)
- Out-of-bounds read in Skia
- * CVE-2019-11737 (bmo#1388015)
- Content security policy directives ignore port and path if host is a wildcard
- * CVE-2019-11734 (bmo#1352875,bmo#1536227,bmo#1557208,bmo#1560641)
- Memory safety bugs fixed in Firefox 69
- * CVE-2019-11735 (bmo#1561404,bmo#1561484,bmo#1568047,bmo#1561912,
- bmo#1565744,bmo#1568858,bmo#1570358)
- Memory safety bugs fixed in Firefox 69 and Firefox ESR 68.1
- * CVE-2019-11740 (bmo#1563133,bmo#1573160)
- Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9
-- requires
- * rust/cargo >= 1.35
- * rust-cbindgen >= 0.9.0
- * mozilla-nss >= 3.45
-- rebased patches
-
--------------------------------------------------------------------
-Wed Sep 4 15:38:40 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- added a bunch of patches mainly for big endian platforms
- * mozilla-bmo1504834-part1.patch
- * mozilla-bmo1504834-part2.patch
- * mozilla-bmo1504834-part3.patch
- * mozilla-bmo1511604.patch
- * mozilla-bmo1554971.patch
- * mozilla-bmo1573381.patch
- * mozilla-nestegg-big-endian.patch
- * mozilla-bmo1512162.patch
-
--------------------------------------------------------------------
-Fri Aug 30 20:49:11 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- Mozilla Firefox 68.1.0
- MFSA 2019-26
- * CVE-2019-11751 (bmo#1572838; Windows only)
- Malicious code execution through command line parameters
- * CVE-2019-11746 (bmo#1564449)
- Use-after-free while manipulating video
- * CVE-2019-11744 (bmo#1562033)
- XSS by breaking out of title and textarea elements using innerHTML
- * CVE-2019-11742 (bmo#1559715)
- Same-origin policy violation with SVG filters and canvas to steal
- cross-origin images
- * CVE-2019-11736 (bmo#1551913, bmo#1552206; Windows only))
- File manipulation and privilege escalation in Mozilla Maintenance Service
- * CVE-2019-11753 (bmo#1574980; Windows only)
- Privilege escalation with Mozilla Maintenance Service in custom
- Firefox installation location
- * CVE-2019-11752 (bmo#1501152)
- Use-after-free while extracting a key value in IndexedDB
- * CVE-2019-9812 (bmo#1538008, bmo#1538015)
- Sandbox escape through Firefox Sync
- * CVE-2019-11743 (bmo#1560495)
- Cross-origin access to unload event attributes
- * CVE-2019-11748 (bmo#1564588)
- Persistence of WebRTC permissions in a third party context
- * CVE-2019-11749 (bmo#1565374)
- Camera information available without prompting using getUserMedia
- * CVE-2019-11750 (bmo#1568397)
- Type confusion in Spidermonkey
- * CVE-2019-11738 (bmo#1452037)
- Content security policy bypass through hash-based sources in directives
- * CVE-2019-11747 (bmo#1564481)
- 'Forget about this site' removes sites from pre-loaded HSTS list
- * CVE-2019-11735i (bmo#1561404,bmo#1561484,bmo#1568047,bmo#1561912,
- bmo#1565744,bmo#1568858,bmo#1570358)
- Memory safety bugs fixed in Firefox 69 and Firefox ESR 68.1
- * CVE-2019-11740 (bmo#1563133,bmo#1573160)
- Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9
-- switched package to ESR branch
-- added mozilla-bmo1568145.patch to make builds reproducible
-- removed upstreamed patch mozilla-gcc-internal-compiler-error.patch
-
--------------------------------------------------------------------
-Sun Aug 18 17:29:25 UTC 2019 - Andreas Stieger <andreas.stieger@gmx.de>
-
-- Mozilla Firefox 68.0.2:
- * Fixed a bug causing some special characters to be cut off from
- the end of the search terms when searching from the URL bar
- (bmo#1560228)
- * Allow fonts to be loaded via file:// URLs when opening a page
- locally (bmo#1565942)
- * Printing emails from the Outlook web app no longer prints only
- the header and footer (bmo#1567105)
- * Fixed a bug causing some images not to be displayed on reload,
- including on Google Maps (bmo# 1565542)
- * Fixed an error when starting external applications configured
- as URI handlers (bmo#1567614)
- MFSA 2019-24 (boo#1145665)
- * CVE-2019-11733: Stored passwords in 'Saved Logins' can be
- copied without master password entry (bmo#1565780)
-- drop fix-build-after-y2038-changes-in-glibc.patch, upstream
-
--------------------------------------------------------------------
-Fri Aug 16 16:49:24 UTC 2019 - Jonathan Brielmaier <jbrielmaier@suse.de>
-
-- Fix crash when typing in the URL bar on ppc64le (bmo#1512162).
- The upstream patch doesn't resolve the issue on TW, but compiling
- with -O1 does. Do this until we have a proper fix.
-
--------------------------------------------------------------------
-Thu Aug 1 14:25:02 UTC 2019 - Guillaume GARDET <guillaume.gardet@opensuse.org>
-
-- Update build constraints to fix arm builds
-
--------------------------------------------------------------------
-Fri Jul 19 08:11:27 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- Mozilla Firefox 68.0.1
- * Fixed missing Full Screen button when watching videos in full
- screen mode on HBO GO (bmo#1562837)
- * Fixed a bug causing incorrect messages to appear for some
- locales when sites try to request the use of the Storage
- Access API (bmo#1558503)
- * Users in Russian regions may have their default search engine
- changed (bmo#1565315)
- * Built-in search engines in some locales do not function
- correctly (bmo#1565779)
- * SupportMenu policy doesn't always work (bmo#1553290)
- * Allow the privacy.file_unique_origin pref to be controlled by
- policy (bmo#1563759)
-
--------------------------------------------------------------------
-Thu Jul 11 10:51:39 UTC 2019 - Jiri Slaby <jslaby@suse.com>
-
-- add fix-build-after-y2038-changes-in-glibc.patch
-
--------------------------------------------------------------------
-Wed Jul 10 13:47:41 UTC 2019 - Bernhard Wiedemann <bwiedemann@suse.com>
-
-- Generate langpacks sequentially to avoid file corruption
- from racy file writes (boo#1137970)
-
--------------------------------------------------------------------
-Mon Jul 8 13:30:35 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- Mozilla Firefox 68.0
- * Dark mode in reader view
- * Improved extension security and discovery
- * Cryptomining and fingerprinting protections are added to strict
- content blocking settings in Privacy & Security preferences
- * Camera and microphone access now require an HTTPS connection
- MFSA 2019-21 (bsc#1140868)
- * CVE-2019-9811 (bmo#1538007, bmo#1539598, bmo#1563327)
- Sandbox escape via installation of malicious languagepack
- * CVE-2019-11711 (bmo#1552541)
- Script injection within domain through inner window reuse
- * CVE-2019-11712 (bmo#1543804)
- Cross-origin POST requests can be made with NPAPI plugins by
- following 308 redirects
- * CVE-2019-11713 (bmo#1528481)
- Use-after-free with HTTP/2 cached stream
- * CVE-2019-11714 (bmo#1542593)
- NeckoChild can trigger crash when accessed off of main thread
- * CVE-2019-11729 (bmo#1515342)
- Empty or malformed p256-ECDH public keys may trigger a segmentation fault
- * CVE-2019-11715 (bmo#1555523)
- HTML parsing error can contribute to content XSS
- * CVE-2019-11716 (bmo#1552632)
- globalThis not enumerable until accessed
- * CVE-2019-11717 (bmo#1548306)
- Caret character improperly escaped in origins
- * CVE-2019-11718 (bmo#1408349)
- Activity Stream writes unsanitized content to innerHTML
- * CVE-2019-11719 (bmo#1540541)
- Out-of-bounds read when importing curve25519 private key
- * CVE-2019-11720 (bmo#1556230)
- Character encoding XSS vulnerability
- * CVE-2019-11721 (bmo#1256009)
- Domain spoofing through unicode latin 'kra' character
- * CVE-2019-11730 (bmo#1558299)
- Same-origin policy treats all files in a directory as having the
- same-origin
- * CVE-2019-11723 (bmo#1528335)
- Cookie leakage during add-on fetching across private browsing boundaries
- * CVE-2019-11724 (bmo#1512511)
- Retired site input.mozilla.org has remote troubleshooting permissions
- * CVE-2019-11725 (bmo#1483510)
- Websocket resources bypass safebrowsing protections
- * CVE-2019-11727 (bmo#1552208)
- PKCS#1 v1.5 signatures can be used for TLS 1.3
- * CVE-2019-11728 (bmo#1552993)
- Port scanning through Alt-Svc header
- * CVE-2019-11710 (bmo#1549768, bmo#1548611, bmo#1533842, bmo#1537692,
- bmo#1540590, bmo#1551907, bmo#1510345, bmo#1535482, bmo#1535848,
- bmo#1547472, bmo#1547760, bmo#1507696, bmo#1544180)
- Memory safety bugs fixed in Firefox 68
- * CVE-2019-11709 (bmo#1547266, bmo#1540759, bmo#1548822, bmo#1550498
- bmo#1515052, bmo#1539219, bmo#1547757, bmo#1550498, bmo#1533522)
- Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8
-- requires
- * NSS 3.44.1
- * rust/cargo 1.34
- * rust-cbindgen 0.8.7
-- rebased patches
- * mozilla-aarch64-startup-crash.patch
- * mozilla-kde.patch
- * mozilla-nongnome-proxies.patch
- * firefox-kde.patch
-- use new create-tar.sh and add tar_stamps for package definitions
-- added patches imported from SLE flavour
- * mozilla-gcc-internal-compiler-error.patch
- * mozilla-bmo1005535.patch
- * mozilla-ppc-altivec_static_inline.patch
- * mozilla-reduce-rust-debuginfo.patch
- * mozilla-s390-bigendian.patch
- * mozilla-s390-context.patch
-
--------------------------------------------------------------------
-Mon Jul 2 14:15:17 UTC 2019 - Martin Liška <mliska@suse.cz>
-
-- Enable PGO for x86_64.
- * added firefox-add-kde.js-in-order-to-survive-PGO-build.patch
-
--------------------------------------------------------------------
-Thu Jun 20 06:20:59 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- Mozilla Firefox 67.0.4
- MFSA 2019-19 (boo#1138872)
- * CVE-2019-11708 (bmo#1559858)
- sandbox escape using Prompt:Open
-
--------------------------------------------------------------------
-Tue Jun 18 18:36:15 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- Mozilla Firefox 67.0.3
- MFSA 2019-18 (boo#1138614)
- * CVE-2019-11707 (bmo#1544386)
- Type confusion in Array.pop
-
--------------------------------------------------------------------
-Thu Jun 12 14:56:32 UTC 2019 - Manfred Hollstein <manfred.h@gmx.net>
-
-- Mozilla Firefox 67.0.2
- * Fixed: Fix JavaScript error ("TypeError: data is null in
- PrivacyFilter.jsm") in console which may significantly degrade
- sessionstore reliability and performance (bmo#1553413)
- * Fixed: Proxy authentication dialog box repeatedly pops up
- asking to authenticate after upgrading to Firefox 67 (bmo#1548804)
- * Fixed: Pearson MyCloud breaks if FIDO U2F is not Chrome's
- implementation (bmo#1551282)
- * Fixed: Starting in safe mode on Linux or macOS causes Firefox
- to think on the subsequent launch that the profile is too
- recent to be used with this version of Firefox (bmo#1556612)
- * Fixed: Linux distribution users can't easily install/use
- additional/different languages using the built-in preferences
- UI (bmo#1554744)
- * Fixed: Developer tools users can't copy the href/src content
- from various HTML tags via the context menu in the Inspector
- markup view (bmo#1552275)
- * Fixed: Custom home page is broken with clearing data on shutdown
- settings applied (bmo#1554167)
- * Fixed: Performance-regression for eclipse RAP based applications
- (bmo#1555962)
- * Fixed: macOS 10.15 crash fix (bmo#1556076)
- * Fixed: Can't start two downloads in parallel via <a download>
- anymore (bmo#1542912)
-
--------------------------------------------------------------------
-Thu Jun 6 06:49:51 UTC 2019 - Manfred Hollstein <manfred.h@gmx.net>
-
-- Mozilla Firefox 67.0.1
- * enable enhanced tracking protection by default for new users
- * upgrade of Facebook container to version 2.0
- * new version of Firefox Lockwise (password management)
- * new version of Firefox Monitor
- * Firefox Send improvements
-
--------------------------------------------------------------------
-Sun May 19 20:40:30 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- Mozilla Firefox 67.0
- * Firefox 67 will be able to run different Firefox installs side by side
- https://blog.nightly.mozilla.org/2019/01/14/moving-to-a-profile-per-install-architecture/
- * Tabs can now be pinned from the Page Actions menu in the address bar
- * Users can block known cryptominers and fingerprinters in the
- Custom settings or their Content Blocking preferences
- * The Import Data from Another Browser feature is now also available
- from the File menu
- * Firefox will now protect you against running older versions which
- can lead to data corruption and stability issues
- * Easier access to your list of saved logins from the main menu and
- login autocomplete
- * We’ve added a toolbar menu for your Firefox Account to provide more
- transparency for when you are synced, sharing data across devices
- and with Firefox. Personalize the appearance of the menu with your
- own avatar
- * Enable FIDO U2F API, and permit registrations for Google Accounts
- * Enabled AV1 support on Linux
- MFSA 2019-13 (boo#1135824)
- * CVE-2019-9815 (bmo#1546544)
- Disable hyperthreading on content JavaScript threads on macOS
- * CVE-2019-9816 (bmo#1536768)
- Type confusion with object groups and UnboxedObjects
- * CVE-2019-9817 (bmo#1540221)
- Stealing of cross-domain images using canvas
- * CVE-2019-9818 (bmo#1542581) (Windows only)
- Use-after-free in crash generation server
- * CVE-2019-9819 (bmo#1532553)
- Compartment mismatch with fetch API
- * CVE-2019-9820 (bmo#1536405)
- Use-after-free of ChromeEventHandler by DocShell
- * CVE-2019-9821 (bmo#1539125)
- Use-after-free in AssertWorkerThread
- * CVE-2019-11691 (bmo#1542465)
- Use-after-free in XMLHttpRequest
- * CVE-2019-11692 (bmo#1544670)
- Use-after-free removing listeners in the event listener manager
- * CVE-2019-11693 (bmo#1532525)
- Buffer overflow in WebGL bufferdata on Linux
- * CVE-2019-7317 (bmo#1542829)
- Use-after-free in png_image_free of libpng library
- * CVE-2019-11694 (bmo#1534196) (Windows only)
- Uninitialized memory memory leakage in Windows sandbox
- * CVE-2019-11695 (bmo#1445844)
- Custom cursor can render over user interface outside of web content
- * CVE-2019-11696 (bmo#1392955)
- Java web start .JNLP files are not recognized as executable files
- for download prompts
- * CVE-2019-11697 (bmo#1440079)
- Pressing key combinations can bypass installation prompt delays and
- install extensions
- * CVE-2019-11698 (bmo#1543191)
- Theft of user history data through drag and drop of hyperlinks
- to and from bookmarks
- * CVE-2019-11700 (bmo#1549833) (Windows only)
- res: protocol can be used to open known local files
- * CVE-2019-11699 (bmo#1528939)
- Incorrect domain name highlighting during page navigation
- * CVE-2019-11701 (bmo#1518627)
- webcal: protocol default handler loads vulnerable web page
- * CVE-2019-9814 (bmo#1527592, bmo#1534536, bmo#1520132, bmo#1543159,
- bmo#1539393, bmo#1459932, bmo#1459182, bmo#1516425)
- Memory safety bugs fixed in Firefox 67
- * CVE-2019-9800 (bmo#1540166, bmo#1534593, bmo#1546327, bmo#1540136,
- bmo#1538736, bmo#1538042, bmo#1535612, bmo#1499719, bmo#1499108,
- bmo#1538619, bmo#1535194, bmo#1516325, bmo#1542324, bmo#1542097,
- bmo#1532465, bmo#1533554, bmo#1541580)
- Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7
-- requires
- * rust/cargo >= 1.32
- * mozilla-nspr >= 4.21
- * mozilla-nss >= 3.43
- * rust-cbindgen >= 0.8.2
-- rebased patches
-- KDE integration for default browser detection is broken in this revision
-
--------------------------------------------------------------------
-Fri May 17 12:04:49 UTC 2019 - Guillaume GARDET <guillaume.gardet@opensuse.org>
-
-- Fix armv7 build with:
- * mozilla-disable-wasm-emulate-arm-unaligned-fp-access.patch
-
--------------------------------------------------------------------
-Fri May 10 10:30:05 UTC 2019 - Manfred Hollstein <manfred.h@gmx.net>
-
-- Mozilla Firefox 66.0.5
- * Fixed: Further improvements to re-enable web extensions which
- had been disabled for users with a master password set (bmo#1549249)
-
--------------------------------------------------------------------
-Sun May 5 20:21:02 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- Mozilla Firefox 66.0.4 (boo#1134126)
- * fix extension certificate chain
- https://blog.mozilla.org/addons/2019/05/04/update-regarding-add-ons-in-firefox/
-
--------------------------------------------------------------------
-Thu Apr 11 09:16:17 UTC 2019 - Manfred Hollstein <manfred.h@gmx.net>
-
-- Mozilla Firefox 66.0.3
- * Fixed: Address bar on tablets running Windows 10 now behaves
- correctly (bmo#1498973)
- * Fixed: Performance issues with some HTML5 games (bmo#1537609)
- * Fixed a bug with keypress events in IBM cloud applications
- (bmo#1538970)
- * Fix for keypress events in some Microsoft cloud applications
- (bmo#1539618)
- * Changed: Updated Baidu search plugin
-
--------------------------------------------------------------------
-Thu Mar 28 19:01:41 UTC 2019 - Manfred Hollstein <manfred.h@gmx.net>
-
-- Mozilla Firefox 66.0.2
- * Fixed Web compatibility issues with Office 365, iCloud and
- IBM WebMail caused by recent changes to the handling of
- keyboard events (bmo#1538966)
- * Crash fixes (bmo#1521370, bmo#1539118)
-
--------------------------------------------------------------------
-Thu Mar 28 09:58:36 UTC 2019 - Guillaume GARDET <guillaume.gardet@opensuse.org>
-
-- Add patch to fix aarch64 build:
- * mozilla-fix-aarch64-libopus.patch (bmo#1539737)
-
--------------------------------------------------------------------
-Fri Mar 22 22:22:08 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- Mozilla Firefox 66.0.1
- MFSA 2019-09 (bsc#1130262)
- * CVE-2019-9810 (bmo#1537924)
- IonMonkey MArraySlice has incorrect alias information
- * CVE-2019-9813 (bmo#1538006)
- Ionmonkey type confusion with __proto__ mutations
-
--------------------------------------------------------------------
-Sun Mar 17 10:08:51 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- Mozilla Firefox 66.0
- * Increased content processes to 8
- * Added capability to search through open tabs from the tab overflow menu
- * New backend for the storage.local WebExtensions API, providing
- I/O performance improvements when the extension updates a small
- subset of the stored data
- * WebExtension keyboard shortcuts can now be managed or overridden
- from about:addons
- * Improved scrolling behavior: Firefox will now attempt to keep content
- from jumping around while a page is loading by supporting scroll
- anchoring
- * New about:privatebrowsing with search
- * A certificate error page now notifies the user of the name of the
- certificate issuer that breaks HTTPs connections on intercepted
- connections to help troubleshooting possible anti-virus software
- issues.
- * Fixed an performance issue some Linux users experienced with the
- Downloads panel (bmo#1517101)
- * Firefox now blocks all autoplay media with sound by default. Users
- can add individual sites to an exceptions list or turn the blocking
- off.
- * System title bar is hidden by default to match Gnome guideline
- MFSA 2019-07 (bsc#1129821)
- * CVE-2019-9790 (bmo#1525145)
- Use-after-free when removing in-use DOM elements
- * CVE-2019-9791 (bmo#1530958)
- Type inference is incorrect for constructors entered through on-stack
- replacement with IonMonkey
- * CVE-2019-9792 (bmo#1532599)
- IonMonkey leaks JS_OPTIMIZED_OUT magic value to script
- * CVE-2019-9793 (bmo#1528829)
- Improper bounds checks when Spectre mitigations are disabled
- * CVE-2019-9794 (bmo#1530103) (Windows only)
- Command line arguments not discarded during execution
- * CVE-2019-9795 (bmo#1514682)
- Type-confusion in IonMonkey JIT compiler
- * CVE-2019-9796 (bmo#1531277)
- Use-after-free with SMIL animation controller
- * CVE-2019-9797 (bmo#1528909)
- Cross-origin theft of images with createImageBitmap
- * CVE-2019-9798 (bmo#1527534) (Android only)
- Library is loaded from world writable APITRACE_LIB location
- * CVE-2019-9799 (bmo#1505678)
- Information disclosure via IPC channel messages
- * CVE-2019-9801 (bmo#1527717) (Windows only)
- Windows programs that are not 'URL Handlers' are exposed to web content
- * CVE-2019-9802 (bmo#1415508)
- Chrome process information leak
- * CVE-2019-9803 (bmo#1515863, bmo#1437009)
- Upgrade-Insecure-Requests incorrectly enforced for same-origin navigation
- * CVE-2019-9804 (bmo#1518026) (MacOS only)
- Code execution through 'Copy as cURL' in Firefox Developer Tools on macOS
- * CVE-2019-9805 (bmo#1521360)
- Potential use of uninitialized memory in Prio
- * CVE-2019-9806 (bmo#1525267)
- Denial of service through successive FTP authorization prompts
- * CVE-2019-9807 (bmo#1362050)
- Text sent through FTP connection can be incorporated into alert messages
- * CVE-2019-9809 (bmo#1282430, bmo#1523249)
- Denial of service through FTP modal alert error messages
- * CVE-2019-9808 (bmo#1434634)
- WebRTC permissions can display incorrect origin with data: and blob: URLs
- * CVE-2019-9789 bmo#1520483, bmo#1522987, bmo#1528199, bmo#1519337,
- bmo#1525549, bmo#1516179, bmo#1518524, bmo#1518331, bmo#1526579,
- bmo#1512567, bmo#1524335, bmo#1448505, bmo#1518821
- Memory safety bugs fixed in Firefox 66
- * CVE-2019-9788 bmo#1518001, bmo#1521304, bmo#1521214, bmo#1506665,
- bmo#1516834, bmo#1518774, bmo#1524755, bmo#1523362, bmo#1524214, bmo#1529203
- Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6
-- updated build/runtime requirements
- * mozilla-nss >= 3.42.1
- * cargo/rust >= 1.31
- * rust-cbindgen >= 0.6.8
- * nasm >= 2.13 (new)
-- removed obsolete patch
- * mozilla-bmo256180.patch
-
--------------------------------------------------------------------
-Tue Mar 5 10:17:01 UTC 2019 - Stephan Kulow <coolo@suse.com>
-
-- Do not hardcode nodejs8 but leave the prefer to the distribution
- (Tumbleweed staging wants to switch to nodejs10)
-
--------------------------------------------------------------------
-Fri Feb 15 13:45:57 UTC 2019 - Guillaume GARDET <guillaume.gardet@opensuse.org>
-
-- Update _constraints to avoid 'no space left' error seen on aarch64
-
--------------------------------------------------------------------
-Wed Feb 13 07:17:28 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- Mozilla Firefox 65.0.1
- * Fixed accidental requests to addons.mozilla.org when an addon
- recommendation doorhanger is shown (bmo#1526387)
- * Improved playback of interactive Netflix videos (bmo#1524500)
- * Fixed incorrect sizing of the "Clear Recent History" window in
- some situations (bmo#1523696)
- * Fixed audio & video delays while making WebRTC calls
- (bmo#1521577, bmo#1523817)
- * Fixed video sizing problems during some WebRTC calls (bmo#1520200)
- * Fixed looping CONNECT requests when using WebSockets over HTTP/2
- from behind a proxy server (bmo#1523427)
- * Fixed the "Enter" key not working on password entry fields for
- certain Linux distributions (bmo#1523635)
- MFSA 2019-04 (bsc#1125330)
- * CVE-2018-18356 bmo#1525817
- Use-after-free in Skia
- * CVE-2019-5785 bmo#1525433
- Integer overflow in Skia
- * CVE-2018-18511 bmo#1526218
- Cross-origin theft of images with ImageBitmapRenderingContext
-
--------------------------------------------------------------------
-Wed Feb 13 06:12:43 UTC 2019 - Martin Liška <mliska@suse.cz>
-
-- Enable LTO only for latest new toolchain (boo#1125038) for x86_64
- (with increased memory constraints)
-
--------------------------------------------------------------------
-Sat Jan 26 22:37:01 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- Mozilla Firefox 65.0
- * Enhanced tracking protection
- * allow switching of UI locales within preferences
- * support for the WebP image format
- * "top"-like about:performance
- MFSA 2019-01 (bsc#1122983)
- * CVE-2018-18500 bmo#1510114
- Use-after-free parsing HTML5 stream
- * CVE-2018-18503 bmo#1509442
- Memory corruption with Audio Buffer
- * CVE-2018-18504 bmo#1496413
- Memory corruption and out-of-bounds read of texture client
- * CVE-2018-18505 bmo#1497749
- Privilege escalation through IPC channel messages
- * CVE-2018-18506 bmo#1503393
- Proxy Auto-Configuration file can define localhost access to be proxied
- * CVE-2018-18502 bmo#1499426 bmo#1480090 bmo#1472990 bmo#1514762
- bmo#1501482 bmo#1505887 bmo#1508102 bmo#1508618 bmo#1511580
- bmo#1493497 bmo#1510145 bmo#1516289 bmo#1506798 bmo#1512758
- Memory safety bugs fixed in Firefox 65
- * CVE-2018-18501 bmo#1512450 bmo#1517542 bmo#1513201 bmo#1460619
- bmo#1502871 bmo#1516738 bmo#1516514
- Memory safety bugs fixed in Firefox 65 and Firefox ESR 60.5
-- requires
- NSS 3.41
- rust/carge 1.30
- rust-cbindgen 0.6.7
-- rebased patches
-- remove workaround for build memory consumption on i586; other
- mitigations meanwhile introduced (mainly parallelity) will be
- sufficient
- mozilla-reduce-files-per-UnifiedBindings.patch
-
--------------------------------------------------------------------
-Tue Jan 15 14:32:03 UTC 2019 - Martin Liška <mliska@suse.cz>
-
-- Increase disk constraint.
-
--------------------------------------------------------------------
-Mon Jan 14 12:12:12 UTC 2019 - Martin Liška <mliska@suse.cz>
-
-- Remove -v from mach build in order to work-around bmo#1500436.
-
--------------------------------------------------------------------
-Fri Jan 11 15:07:14 UTC 2019 - Martin Liška <mliska@suse.cz>
-
-- Set %clang_build to false on all architectures
-- Do not use -fno-delete-null-pointer-checks and -fno-strict-aliasing:
- it should not be needed anymore
-- Do not overwrite enable-optimize and when possible
- enable --enable-debug-symbols.
-- Add -v to mach in order to make build verbose.
-
--------------------------------------------------------------------
-Wed Jan 9 22:40:14 UTC 2019 - astieger@suse.com
-
-- Mozilla Firefox 64.0.2:
- * Update the Japanese translation for missing strings (bmo#1513259)
- * Properly restore column sizes in developer tools inspector (bmo#1503175)
- * Fixed video stuttering on Youtube (bmo#1513511)
- * Fix updates for some lightweight themes (bmo#1508777)
-
--------------------------------------------------------------------
-Tue Dec 18 14:46:41 UTC 2018 - Guillaume GARDET <guillaume.gardet@opensuse.org>
-
-- Enable build_hardened for all architectures
-- Switch back aarch64 to clang as '-fPIC' fixes bmo#1513605
-- Remove obolete '--enable-pie' as -pie is always enabled for
- gcc and clang
-
--------------------------------------------------------------------
-Wed Dec 12 17:33:29 UTC 2018 - Guillaume GARDET <guillaume.gardet@opensuse.org>
-
-- Switch aarch64 builds back to gcc, not clang (bmo#1513605)
-- Switch %arm builds back to gcc, not clang to avoid OOM
-- Fix build flags when clang is not used
-- Fix flags for clang ppc64 builds
-
--------------------------------------------------------------------
-Tue Dec 11 08:45:56 UTC 2018 - Wolfgang Rosenauer <wr@rosenauer.org>
-
-- update to Firefox 64.0
- * Better recommendations: You may see suggestions in regular browsing
- mode for new and relevant Firefox features, services, and extensions
- based on how you use the web (for US users only)
- * Enhanced tab management: You can now select multiple tabs from the
- tab bar and close, move, bookmark, or pin them quickly and easily
- * Easier performance management: The new Task Manager page found at
- about:performance lets you see how much energy each open tab consumes
- and provides access to close tabs to conserve power
- * Improved performance for Mac and Linux users, by enabling link time
- optimization (Clang LTO).
- * Added option to remove add-ons using the context menu on their
- toolbar buttons
- * RSS feed preview and live bookmarks are available only via add-ons
- * TLS certificates issued by Symantec are no longer trusted by Firefox.
- Website operators are strongly encouraged to replace any remaining
- Symantec TLS certificates as soon as possible
- MFSA 2018-29 (bsc#1119105)
- * CVE-2018-12407 bmo#1505973
- Buffer overflow with ANGLE library when using VertexBuffer11 module
- * CVE-2018-17466 bmo#1488295
- Buffer overflow and out-of-bounds read in ANGLE library with
- TextureStorage11
- * CVE-2018-18492 bmo#1499861
- Use-after-free with select element
- * CVE-2018-18493 bmo#1504452
- Buffer overflow in accelerated 2D canvas with Skia
- * CVE-2018-18494 bmo#1487964
- Same-origin policy violation using location attribute and
- performance.getEntries to steal cross-origin URLs
- * CVE-2018-18495 bmo#1427585
- WebExtension content scripts can be loaded in about: pages
- * CVE-2018-18496 bmo#1422231 (Windows only)
- Embedded feed preview page can be abused for clickjacking
- * CVE-2018-18497 bmo#1488180
- WebExtensions can load arbitrary URLs through pipe separators
- * CVE-2018-18498 bmo#1500011
- Integer overflow when calculating buffer sizes for images
- * CVE-2018-12406 bmo#1456947 bmo#1475669 bmo#1504816 bmo#1502886
- bmo#1500064 bmo#1500310 bmo#1500696 bmo#1498765 bmo#1499198 bmo#1434490
- bmo#1481745 bmo#1458129
- Memory safety bugs fixed in Firefox 64
- * CVE-2018-12405 bmo#1494752 bmo#1503326 bmo#1505181 bmo#1500759
- bmo#1504365 bmo#1506640 bmo#1503082 bmo#1502013 bmo#1510471
- Memory safety bugs fixed in Firefox 64 and Firefox ESR 60.4
-- requires
- * rust/cargo >= 1.29
- * mozilla-nss >= 3.40.1
- * rust-cbindgen >= 0.6.4
-- rebased patches
-- removed obsolete patch
- * mozilla-bmo1491289.patch
-- now uses clang primarily for compilation
-
--------------------------------------------------------------------
-Wed Nov 28 11:07:18 UTC 2018 - Guillaume GARDET <guillaume.gardet@opensuse.org>
-
-- Remove --disable-elf-hack when not available: on aarch64 and ppc64*
-
--------------------------------------------------------------------
-Mon Nov 26 09:46:02 UTC 2018 - Guillaume GARDET <guillaume.gardet@opensuse.org>
-
-- Clean-up %arm build
-
--------------------------------------------------------------------
-Sun Nov 18 11:01:21 UTC 2018 - manfred.h@gmx.net
-
-- update to Firefox 63.0.3
- * Games using WebGL (created in Unity) get stuck after very short
- time of gameplay (bmo#1502748)
- * Slow page loading for some users with specific proxy configurations
- (bmo#1495024)
- * Disable HTTP response throttling by default for causing bugs with
- videos in background tabs (bmo#1503354)
- * Opening magnet links no longer works (bmo#1498934)
- * Crash fixes (bmo#1498510, bmo#1503424)
-- removed mozilla-newer-cbindgen.patch; no longer needed
-
--------------------------------------------------------------------
-Thu Nov 8 14:59:13 UTC 2018 - wr@rosenauer.org
-
-- update to Firefox 63.0.1
- * Snippets are not loaded due to missing element (bmo#1503047)
- * Print preview always shows 30& scale when it is actually
- Shrink To Fit (bmo#1501952)
- * Dialog displayed when closing multiple windows shows unreplaced
- %1$S placeholder in Japanese and potentially other locales
- (bmo#1500823)
-
--------------------------------------------------------------------
-Mon Oct 29 14:07:51 UTC 2018 - wr@rosenauer.org
-
-- update to Firefox 63.0
- * WebExtensions now run in their own process on Linux
- * The Ctrl+Tab shortcut now displays thumbnail previews of your
- tabs and cycles through tabs in recently used order. This new
- default behavior is activated only in new profiles and can be
- changed in preferences.
- * Added support for Web Components custom elements and shadow DOM
- MFSA 2018-26 (bsc#1112852)
- * CVE-2018-12391 (bmo#1478843) (Android-only)
- HTTP Live Stream audio data is accessible cross-origin
- * CVE-2018-12392 (bmo#1492823)
- Crash with nested event loops
- * CVE-2018-12393 (bmo#1495011) (only affects non-64-bit archs)
- Integer overflow during Unicode conversion while loading JavaScript
- * CVE-2018-12395 (bmo#1467523)
- WebExtension bypass of domain restrictions through header rewriting
- * CVE-2018-12396 (bmo#1483602)
- WebExtension content scripts can execute in disallowed contexts
- * CVE-2018-12397 (bmo#1487478)
- Missing warning prompt when WebExtension requests local file access
- * CVE-2018-12398 (bmo#1460538, bmo#1488061)
- CSP bypass through stylesheet injection in resource URIs
- * CVE-2018-12399 (bmo#1490276)
- Spoofing of protocol registration notification bar
- * CVE-2018-12400 (bmo#1448305) (Android only)
- Favicons are cached in private browsing mode on Firefox for Android
- * CVE-2018-12401 (bmo#1422456)
- DOS attack through special resource URI parsing
- * CVE-2018-12402 (bmo#1469916)
- SameSite cookies leak when pages are explicitly saved
- * CVE-2018-12403 (bmo#1484753)
- Mixed content warning is not displayed when HTTPS page loads a favicon over HTTP
- * CVE-2018-12388 (bmo#1472639, bmo#1485698, bmo#1301547, bmo#1471427,
- bmo#1379411, bmo#1482122, bmo#1486314, bmo#1487167)
- Memory safety bugs fixed in Firefox 63
- * CVE-2018-12390 (bmo#1487098, bmo#1487660, bmo#1490234, bmo#1496159,
- bmo#1443748, bmo#1496340, bmo#1483905, bmo#1493347, bmo#1488803,
- bmo#1498701, bmo#1498482, bmo#1442010, bmo#1495245, bmo#1483699,
- bmo#1469486, bmo#1484905, bmo#1490561, bmo#1492524, bmo#1481844)
- Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3
-- requires NSPR 4.20, NSS 3.39 and Rust 1.28
-- latest rust does not provide rust-std so stop requiring it
-- requires rust-cbindgen >= 0.6.2 to build
-- requires nodejs >= 8.11 to build
-- added mozilla-bmo1491289.patch to fix system NSS build (bmo#1491289)
-- added mozilla-cubeb-noreturn.patch to fix non-return function
-- added mozilla-newer-cbindgen.patch to fix build with cbindgen 0.6.7
-- disable elfhack for TW and newer due to build errors
-- removed obsolete patches
- * mozilla-no-return.patch
- * mozilla-no-stdcxx-check.patch
-
--------------------------------------------------------------------
-Thu Oct 25 14:39:04 UTC 2018 - guillaume.gardet@opensuse.org
-
-- Update _constraints for armv6/7
-
--------------------------------------------------------------------
-Thu Oct 25 08:50:24 UTC 2018 - guillaume.gardet@opensuse.org
-
-- Add patch to fix build on armv7:
- * mozilla-bmo1463035.patch
-
--------------------------------------------------------------------
-Tue Oct 2 21:28:31 UTC 2018 - astieger@suse.com
-
-- Mozilla Firefox 62.0.3:
- MFSA 2018-24
- * CVE-2018-12386 (bsc#1110506, bmo#1493900)
- Type confusion in JavaScript allowed remote code execution
- * CVE-2018-12387 (bsc#1110507, bmo#1493903)
- Array.prototype.push stack pointer vulnerability may enable
- exploits in the sandboxed content process
-
--------------------------------------------------------------------
-Sat Sep 22 09:03:53 UTC 2018 - astieger@suse.com
-
-- Mozilla Firefox 62.0.2:
- MFSA 2018-22
- * CVE-2018-12385 (boo#1109363, bmo#1490585)
- Crash in TransportSecurityInfo due to cached data
- * Unvisited bookmarks can once again be autofilled in the address
- bar
- * Fix WebGL rendering issues
- * Fix fallback on startup when a language pack is missing
- * Avoid crash when sharing a profile with newer (as yet
- unreleased) versions of Firefox
- * Do not undo removal of search engines when using a language
- pack
- * Fixed rendering of some web sites
- * Restored compatibility with some sites using deprecated TLS
- settings
-- disable rust debug symbols to fix build on %ix86
-
--------------------------------------------------------------------
-Mon Sep 3 10:47:43 UTC 2018 - wr@rosenauer.org
-
-- update to Firefox 62.0
- * Firefox Home (the default New Tab) now allows users to display
- up to 4 rows of top sites, Pocket stories, and highlights
- * "Reopen in Container" tab menu option appears for users with
- Containers that lets them choose to reopen a tab in a different
- container
- * In advance of removing all trust for Symantec-issued certificates
- in Firefox 63, a preference was added that allows users to distrust
- certificates issued by Symantec. To use this preference, go to
- about:config in the address bar and set the preference
- "security.pki.distrust_ca_policy" to 2.
- * Support for CSS Shapes, allowing for richer web page layouts.
- This goes hand in hand with a brand new Shape Path Editor in the
- CSS inspector.
- * CSS Variable Fonts (OpenType Font Variations) support, which makes
- it possible to create beautiful typography with a single font file
- * Added Canadian English (en-CA) locale
- MFSA 2018-20 (bsc#1107343)
- * CVE-2018-12377 (bmo#1470260)
- Use-after-free in refresh driver timers
- * CVE-2018-12378 (bmo#1459383)
- Use-after-free in IndexedDB
- * CVE-2018-12379 (bmo#1473113) (updater is disabled for us)
- Out-of-bounds write with malicious MAR file
- * CVE-2017-16541 (bmo#1412081)
- Proxy bypass using automount and autofs
- * CVE-2018-12381 (bmo#1435319)
- Dragging and dropping Outlook email message results in page navigation
- * CVE-2018-12382 (bmo#1479311) (Android only)
- Addressbar spoofing with javascript URI on Firefox for Android
- * CVE-2018-12383 (bmo#1475775)
- Setting a master password post-Firefox 58 does not delete
- unencrypted previously stored passwords
- * CVE-2018-12375
- Memory safety bugs fixed in Firefox 62
- * CVE-2018-12376
- Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2
-- requires NSS >= 3.38
-- removed obsolete patch
- mozilla-bmo1464766.patch
-
--------------------------------------------------------------------
-Thu Aug 9 14:22:00 UTC 2018 - wr@rosenauer.org
-
-- update to Firefox 61.0.2
- * Improved website rendering with the Retained Display List feature
- enabled (bmo#1474402)
- * Fixed broken DevTools panels with certain extensions installed
- (bmo#1474379)
- * Fixed a crash for users with some accessibility tools enabled
- (bmo#1474007)
-
--------------------------------------------------------------------
-Mon Jul 9 07:22:09 UTC 2018 - astieger@suse.com
-
-- Mozilla Firefox 61.0.1:
- * Fix missing content on the New Tab Page and the Home section of
- the Preferences page (bmo#1471375)
- * Fixed loss of bookmarks under rare circumstances when upgrading
- from Firefox 60 (bmo#1472127)
- * Improved playback of Twitch 1080p video streams (bmo#1469257)
- * Web pages no longer lose focus when a browser popup window is
- opened (bmo#1471415)
- * Re-allowed downloading files from FTP sites via the "Save Link
- As" option when linked from HTTP pages (bmo#1470295)
- * Fixed extensions being unable to override the default homepage
- in certain situations (bmo#1466846)
-
--------------------------------------------------------------------
-Sat Jun 23 07:25:51 UTC 2018 - wr@rosenauer.org
-
-- update to Firefox 61.0
- * Performance enhancements
- * Various improvements for dark theme support will provide a more
- consistent experience across the entire Firefox UI
- * OpenSearch plugins offered by web pages can now be added from the
- page action menu for easier installation
- * Improved support for allowing WebExtensions to manage and hide tabs
- MFSA 2018-15 (bsc#1098998)
- * CVE-2018-12359 (bmo#1459162)
- Buffer overflow using computed size of canvas element
- * CVE-2018-12360 (bmo#1459693)
- Use-after-free when using focus()
- * CVE-2018-12361 (bmo#1463244)
- Integer overflow in SwizzleData
- * CVE-2018-12358 (bmo#1467852)
- Same-origin bypass using service worker and redirection
- * CVE-2018-12362 (bmo#1452375)
- Integer overflow in SSSE3 scaler
- * CVE-2018-5156 (bmo#1453127)
- Media recorder segmentation fault when track type is changed during capture
- * CVE-2018-12363 (bmo#1464784)
- Use-after-free when appending DOM nodes
- * CVE-2018-12364 (bmo#1436241)
- CSRF attacks through 307 redirects and NPAPI plugins
- * CVE-2018-12365 (bmo#1459206)
- Compromised IPC child process can list local filenames
- * CVE-2018-12371 (bmo#1465686)
- Integer overflow in Skia library during edge builder allocation
- * CVE-2018-12366 (bmo#1464039)
- Invalid data handling during QCMS transformations
- * CVE-2018-12367 (bmo#1462891)
- Timing attack mitigation of PerformanceNavigationTiming
- * CVE-2018-12369 (bmo#1454909)
- WebExtension security permission checks bypassed by embedded experiments
- * CVE-2018-12370 (bmo#1456652)
- SameSite cookie protections bypassed when exiting Reader View
- * CVE-2018-5186 (bmo#1464872,bmo#1463329,bmo#1419373,bmo#1412882,
- bmo#1413033,bmo#1444673,bmo#1454448,bmo#1453505,bmo#1438671)
- Memory safety bugs fixed in Firefox 61
- * CVE-2018-5187 (bmo#1461324,bmo#1414829,bmo#1395246,bmo#1467938,
- bmo#1461619,bmo#1425930,bmo#1438556,bmo#1454285,bmo#1459568,
- bmo#1463884)
- Memory safety bugs fixed in Firefox 60 and Firefox ESR 60.1
- * CVE-2018-5188 (bmo#1456189,bmo#1456975,bmo#1465898,bmo#1392739,
- bmo#1451297,bmo#1464063,bmo#1437842,bmo#1442722,bmo#1452576,
- bmo#1450688,bmo#1458264,bmo#1458270,bmo#1465108,bmo#1464829,
- bmo#1464079,bmo#1463494,bmo#1458048)
- Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1, and Firefox ESR 52.9
-- requires NSS 3.37.3
-- requires python >= 3.5 to build
-- removed obsolete patches
- mozilla-i586-DecoderDoctorLogger.patch
- mozilla-i586-domPrefs.patch
- mozilla-fix-skia-aarch64.patch
- mozilla-bmo1375074.patch
- mozilla-enable-csd.patch
-- patch for new no-return warnings (mozilla-no-return.patch)
-- do not disable system installed locales (mozilla-bmo1464766.patch)
-
--------------------------------------------------------------------
-Fri Jun 8 10:52:13 UTC 2018 - bjorn.lie@gmail.com
-
-- Add conditional for pkgconfig(gconf-2.0) BuildRequires, and pass
- conditional --disable-gconf to configure: no longer pull in
- obsolete gconf2 for Tumbleweed.
-
--------------------------------------------------------------------
-Thu Jun 7 12:11:06 UTC 2018 - wr@rosenauer.org
-
-- update to Firefox 60.0.2
- * requires NSS 3.36.4
- MFSA 2018-14 (bsc#1096449)
- * CVE-2018-6126 (bmo#1462682)
- Heap buffer overflow rasterizing paths in SVG with Skia
-
--------------------------------------------------------------------
-Wed Jun 6 18:57:52 UTC 2018 - guillaume.gardet@opensuse.org
-
-- Add upstream patch to fix boo#1093059 instead of '-ffixed-x28'
- workaround:
- * mozilla-bmo1375074.patch
-
--------------------------------------------------------------------
-Sat May 26 15:53:25 UTC 2018 - wr@rosenauer.org
-
-- fixed "open with" option under KDE (boo#1094747)
-- workaround crash on startup on aarch64 (boo#1093059)
- (contributed by guillaume.gardet@arm.com)
-
--------------------------------------------------------------------
-Wed May 23 08:49:09 UTC 2018 - guillaume.gardet@opensuse.org
-
-- Disable webrtc for aarch64 due to bmo#1434589
-- Add patch to fix skia build on AArch64:
- * mozilla-fix-skia-aarch64.patch
-
--------------------------------------------------------------------
-Thu May 17 14:01:18 UTC 2018 - wr@rosenauer.org
-
-- update to Firefox 60.0.1
- * Avoid overly long cycle collector pauses with some add-ons installed
- (bmo#1449033)
- * After unckecking the "Sponsored Stories" option, the New Tab page
- now immediately stops displaying "Sponsored content" cards (bmo#1458906)
- * On touchscreen devices, fixed momentum scrolling on non-zoomable pages
- (bmo#1457743)
- * Use the right default background when opening tabs or windows in
- high contrast mode (bmo#1458956)
- * Restored translations of the Preferences panels when using a
- language pack (bmo#1461590)
-
--------------------------------------------------------------------
-Mon May 14 13:37:38 UTC 2018 - pcerny@suse.com
-
-- parellelise locales building
-
--------------------------------------------------------------------
-Mon May 7 08:32:28 UTC 2018 - wr@rosenauer.org
-
-- update to Firefox 60.0
- * Added a policy engine that allows customized Firefox deployments
- in enterprise environments, using Windows Group Policy or a
- cross-platform JSON file
- * Applied Quantum CSS to render browser UI
- * Added support for Web Authentication, allowing the use of USB
- tokens for authentication to web sites
- * Locale added: Occitan (oc)
- MFSA 2018-11 (bsc#1092548)
- * CVE-2018-5154 (bmo#1443092)
- Use-after-free with SVG animations and clip paths
- * CVE-2018-5155 (bmo#1448774)
- Use-after-free with SVG animations and text paths
- * CVE-2018-5157 (bmo#1449898)
- Same-origin bypass of PDF Viewer to view protected PDF files
- * CVE-2018-5158 (bmo#1452075)
- Malicious PDF can inject JavaScript into PDF Viewer
- * CVE-2018-5159 (bmo#1441941)
- Integer overflow and out-of-bounds write in Skia
- * CVE-2018-5160 (bmo#1436117)
- Uninitialized memory use by WebRTC encoder
- * CVE-2018-5152 (bmo#1415644, bmo#1427289)
- WebExtensions information leak through webRequest API
- * CVE-2018-5153 (bmo#1436809)
- Out-of-bounds read in mixed content websocket messages
- * CVE-2018-5163 (bmo#1426353)
- Replacing cached data in JavaScript Start-up Bytecode Cache
- * CVE-2018-5164 (bmo#1416045)
- CSP not applied to all multipart content sent with
- multipart/x-mixed-replace
- * CVE-2018-5166 (bmo#1437325)
- WebExtension host permission bypass through filterReponseData
- * CVE-2018-5167 (bmo#1447969)
- Improper linkification of chrome: and javascript: content in
- web console and JavaScript debugger
- * CVE-2018-5168 (bmo#1449548)
- Lightweight themes can be installed without user interaction
- * CVE-2018-5169 (bmo#1319157)
- Dragging and dropping link text onto home button can set home page
- to include chrome pages
- * CVE-2018-5172 (bmo#1436482)
- Pasted script from clipboard can run in the Live Bookmarks page
- or PDF viewer
- * CVE-2018-5173 (bmo#1438025)
- File name spoofing of Downloads panel with Unicode characters
- * CVE-2018-5174 (bmo#1447080) (Windows-only)
- Windows Defender SmartScreen UI runs with less secure behavior
- for downloaded files in Windows 10 April 2018 Update
- * CVE-2018-5175 (bmo#1432358)
- Universal CSP bypass on sites using strict-dynamic in their policies
- * CVE-2018-5176 (bmo#1442840)
- JSON Viewer script injection
- * CVE-2018-5177 (bmo#1451908)
- Buffer overflow in XSLT during number formatting
- * CVE-2018-5165 (bmo#1451452)
- Checkbox for enabling Flash protected mode is inverted in 32-bit
- Firefox
- * CVE-2018-5180 (bmo#1444086)
- heap-use-after-free in mozilla::WebGLContext::DrawElementsInstanced
- * CVE-2018-5181 (bmo#1424107)
- Local file can be displayed in noopener tab through drag and
- drop of hyperlink
- * CVE-2018-5182 (bmo#1435908)
- Local file can be displayed from hyperlink dragged and dropped
- on addressbar
- * CVE-2018-5151
- Memory safety bugs fixed in Firefox 60
- * CVE-2018-5150
- Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8
-- removed obsolete patches
- 0001-Bug-1435695-WebRTC-fails-to-build-with-GCC-8-r-dmino.patch
- mozilla-bmo1005535.patch
-- requires NSPR 4.19 and NSS 3.36.1
-- requires rust 1.24 or higher
-- use upstream source archive and detached signature for
- source verification
-
--------------------------------------------------------------------
-Thu May 3 14:33:37 UTC 2018 - guillaume.gardet@opensuse.org
-
-- Fix armv7 build by:
- * adding RUSTFLAGS="-Cdebuginfo=0"
- * updating _constraints for %arm
-
--------------------------------------------------------------------
-Wed May 2 20:46:37 UTC 2018 - wr@rosenauer.org
-
-- do not try CSD on kwin (boo#1091592)
-- fix build in openSUSE:Leap:42.3:Update, use gcc7
-
--------------------------------------------------------------------
-Tue May 1 14:26:24 UTC 2018 - astieger@suse.com
-
-- Mozilla Firefox 59.0.3:
- * fixes for platforms other than GNU/Linux
-
--------------------------------------------------------------------
-Fri Apr 20 12:31:52 UTC 2018 - mliska@suse.cz
-
-- Add 0001-Bug-1435695-WebRTC-fails-to-build-with-GCC-8-r-dmino.patch
- in order to fix boo#1090362.
-
--------------------------------------------------------------------
-Mon Apr 2 00:55:45 UTC 2018 - badshah400@gmail.com
-
-- Add back mozilla-enable-csd.patch: New rebased version from
- Fedora for version 59.0.x.
-
--------------------------------------------------------------------
-Tue Mar 27 14:07:11 UTC 2018 - schwab@suse.de
-
-- Reduce constraints on aarch64
-
--------------------------------------------------------------------
-Tue Mar 27 06:40:25 UTC 2018 - wr@rosenauer.org
-
-- update to Firefox 59.0.2
- * Invalid page rendering with hardware acceleration enabled (bmo#1435472)
- * Browser keyboard shortcuts (eg copy Ctrl+C) don't work on sites
- that use those keys with resistFingerprinting enabled (bmo#1433592)
- * High CPU / memory churn caused by third-party software on some
- computers (bmo#1446280)
- * Users who have configured an "automatic proxy configuration URL"
- and want to reload their proxy settings from the URL will find
- the Reload button disabled in the Connection Settings dialog when
- they select Preferences/Options>Network Proxy>Settings... (bmo#1445991)
- * URL Fragment Identifiers Break Service Worker Responses (bmo#1443850)
- * User's trying to cancel a print around the time it completes will
- continue to get intermittent crashes (bmo#1441598)
- MFSA 2018-10 (bsc#1087059)
- * CVE-2018-5148 (bmo#1440717)
- Use-after-free in compositor
-- removed obsolete patch mozilla-bmo1446062.patch
-
--------------------------------------------------------------------
-Wed Mar 21 17:14:24 UTC 2018 - cgrobertson@suse.com
-
-- Added patches:
- * mozilla-i586-DecoderDoctorLogger.patch - bmo#1447070
- fixes non-unified build error
- * mozilla-i586-domPrefs.patch - DOMPrefs.h
- fixes 32bit build error
-
--------------------------------------------------------------------
-Fri Mar 16 06:40:11 UTC 2018 - wr@rosenauer.org
-
-- update to Firefox 59.0.1 (bsc#1085671)
- MFSA 2018-08
- * CVE-2018-5146 (bmo#1446062)
- Vorbis audio processing out of bounds write
- * CVE-2018-5147 (bmo#1446365)
- Out of bounds memory write in libtremor
- (mozilla-bmo1446062.patch)
-
--------------------------------------------------------------------
-Wed Mar 14 19:27:07 UTC 2018 - cgrobertson@suse.com
-
-- Added patch:
- * mozilla-bmo1005535.patch:
- Enable skia_gpu on big endian platforms.
-
--------------------------------------------------------------------
-Sun Mar 11 22:12:12 UTC 2018 - wr@rosenauer.org
-
-- update to Firefox 59.0
- * Performance enhancements
- * Drag-and-drop to rearrange Top Sites on the Firefox Home page
- * added features for Firefox Screenshots
- * Enhanced WebExtensions API
- * Improved RTC capabilities
- MFSA 2018-06 (bsc#1085130)
- * CVE-2018-5127 (bmo#1430557)
- Buffer overflow manipulating SVG animatedPathSegList
- * CVE-2018-5128 (bmo#1431336)
- Use-after-free manipulating editor selection ranges
- * CVE-2018-5129 (bmo#1428947)
- Out-of-bounds write with malformed IPC messages
- * CVE-2018-5130 (bmo#1433005)
- Mismatched RTP payload type can trigger memory corruption
- * CVE-2018-5131 (bmo#1440775)
- Fetch API improperly returns cached copies of no-store/no-cache resources
- * CVE-2018-5132 (bmo#1408194)
- WebExtension Find API can search privileged pages
- * CVE-2018-5133 (bmo#1430511, bmo#1430974)
- Value of the app.support.baseURL preference is not properly sanitized
- * CVE-2018-5134 (bmo#1429379)
- WebExtensions may use view-source: URLs to bypass content restrictions
- * CVE-2018-5135 (bmo#1431371)
- WebExtension browserAction can inject scripts into unintended contexts
- * CVE-2018-5136 (bmo#1419166)
- Same-origin policy violation with data: URL shared workers
- * CVE-2018-5137 (bmo#1432870)
- Script content can access legacy extension non-contentaccessible resources
- * CVE-2018-5138 (bmo#1432624) (Android only)
- Android Custom Tab address spoofing through long domain names
- * CVE-2018-5140 (bmo#1424261)
- Moz-icon images accessible to web content through moz-icon: protocol
- * CVE-2018-5141 (bmo#1429093)
- DOS attack through notifications Push API
- * CVE-2018-5142 (bmo#1366357)
- Media Capture and Streams API permissions display incorrect origin
- with data: and blob: URLs
- * CVE-2018-5143 (bmo#1422643)
- Self-XSS pasting javascript: URL with embedded tab into addressbar
- * CVE-2018-5126
- Memory safety bugs fixed in Firefox 59
- * CVE-2018-5125
- Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7
-- requires NSPR 4.18 and NSS 3.35
-- requires rust >= 1.22.1
-- removed obsolete patches:
- mozilla-alsa-sandbox.patch
- mozilla-enable-csd.patch
- firefox-no-default-ualocale.patch
-- removed l10n_changesets.txt since same information is now in
- Firefox source tree (updated create-tar.sh now requires jq)
-
--------------------------------------------------------------------
-Fri Feb 9 13:37:46 UTC 2018 - astieger@suse.com
-
-- Mozilla Firefox 58.0.2:
- * Blocklisted graphics drivers related to off main thread painting
- crashes
- * Fix tab crash during printing
- * Fix clicking links and scrolling emails on Microsoft Hotmail
- and Outlook (OWA) webmail
-
--------------------------------------------------------------------
-Fri Feb 9 12:06:31 UTC 2018 - wr@rosenauer.org
-
-- correct requires and provides handling (boo#1076907)
-
--------------------------------------------------------------------
-Tue Feb 6 07:03:42 UTC 2018 - fstrba@suse.com
-
-- Added patch:
- * mozilla-alsa-sandbox.patch: Fix bmo#1430274, ALSA sound (still
- or again?) not working in Firefox 58 due to sandboxing.
-
--------------------------------------------------------------------
-Mon Jan 29 22:32:21 UTC 2018 - wr@rosenauer.org
-
-- update to Firefox 58.0.1
- MFSA 2018-05
- * Arbitrary code execution through unsanitized browser UI (bmo#1432966)
-- use correct language packs
-- readd mozilla-enable-csd.patch as it only lands for FF59 upstream
-- allow larger number of nested elements (mozilla-bmo256180.patch)
-
--------------------------------------------------------------------
-Tue Jan 23 20:40:57 UTC 2018 - wr@rosenauer.org
-
-- update to Firefox 58.0 (bsc#1077291)
- * Added Nepali (ne-NP) locale
- * Added support for form autofill for credit card
- * Optimize page load by caching JavaScript internal representation
- MFSA 2018-02
- * CVE-2018-5091 (bmo#1423086)
- Use-after-free with DTMF timers
- * CVE-2018-5092 (bmo#1418074)
- Use-after-free in Web Workers
- * CVE-2018-5093 (bmo#1415291)
- Buffer overflow in WebAssembly during Memory/Table resizing
- * CVE-2018-5094 (bmo#1415883)
- Buffer overflow in WebAssembly with garbage collection on
- uninitialized memory
- * CVE-2018-5095 (bmo#1418447)
- Integer overflow in Skia library during edge builder allocation
- * CVE-2018-5097 (bmo#1387427)
- Use-after-free when source document is manipulated during XSLT
- * CVE-2018-5098 (bmo#1399400)
- Use-after-free while manipulating form input elements
- * CVE-2018-5099 (bmo#1416878)
- Use-after-free with widget listener
- * CVE-2018-5100 (bmo#1417405)
- Use-after-free when IsPotentiallyScrollable arguments are freed
- from memory
- * CVE-2018-5101 (bmo#1417661)
- Use-after-free with floating first-letter style elements
- * CVE-2018-5102 (bmo#1419363)
- Use-after-free in HTML media elements
- * CVE-2018-5103 (bmo#1423159)
- Use-after-free during mouse event handling
- * CVE-2018-5104 (bmo#1425000)
- Use-after-free during font face manipulation
- * CVE-2018-5105 (bmo#1390882)
- WebExtensions can save and execute files on local file system
- without user prompts
- * CVE-2018-5106 (bmo#1408708)
- Developer Tools can expose style editor information cross-origin
- through service worker
- * CVE-2018-5107 (bmo#1379276)
- Printing process will follow symlinks for local file access
- * CVE-2018-5108 (bmo#1421099)
- Manually entered blob URL can be accessed by subsequent private browsing tabs
- * CVE-2018-5109 (bmo#1405599)
- Audio capture prompts and starts with incorrect origin attribution
- * CVE-2018-5110 (bmo#1423275) (affects only OS X)
- Cursor can be made invisible on OS X
- * CVE-2018-5111 (bmo#1321619)
- URL spoofing in addressbar through drag and drop
- * CVE-2018-5112 (bmo#1425224)
- Extension development tools panel can open a non-relative URL in the panel
- * CVE-2018-5113 (bmo#1425267)
- WebExtensions can load non-HTTPS pages with browser.identity.launchWebAuthFlow
- * CVE-2018-5114 (bmo#1421324)
- The old value of a cookie changed to HttpOnly remains accessible to scripts
- * CVE-2018-5115 (bmo#1409449)
- Background network requests can open HTTP authentication in unrelated foreground tabs
- * CVE-2018-5116 (bmo#1396399)
- WebExtension ActiveTab permission allows cross-origin frame content access
- * CVE-2018-5117 (bmo#1395508)
- URL spoofing with right-to-left text aligned left-to-right
- * CVE-2018-5118 (bmo#1420049)
- Activity Stream images can attempt to load local content through file:
- * CVE-2018-5119 (bmo#1420507)
- Reader view will load cross-origin content in violation of CORS headers
- * CVE-2018-5121 (bmo#1402368) (affects only OS X)
- OS X Tibetan characters render incompletely in the addressbar
- * CVE-2018-5122 (bmo#1413841)
- Potential integer overflow in DoCrypt
- * CVE-2018-5090
- Memory safety bugs fixed in Firefox 58
- * CVE-2018-5089
- Memory safety bugs fixed in Firefox 58 and Firefox ESR 52.6
-- requires NSS 3.34.1
-- requires rust 1.21
-- removed obsolete patches:
- mozilla-bindgen-systemlibs.patch
- mozilla-bmo1360278.patch
- mozilla-bmo1399611-csd.patch
- mozilla-rust-1.23.patch
-- rebased patches
-- updated man-page
-
--------------------------------------------------------------------
-Tue Jan 9 18:48:02 UTC 2018 - wr@rosenauer.org
-
-- fixed build with latest rust (mozilla-rust-1.23.patch)
-
--------------------------------------------------------------------
-Thu Jan 4 12:23:41 UTC 2018 - wr@rosenauer.org
-
-- update to Firefox 57.0.4
- MFSA 2018-1: Speculative execution side-channel attack ("Spectre")
- (boo#1074723)
-
--------------------------------------------------------------------
-Wed Jan 3 08:29:38 UTC 2018 - wr@rosenauer.org
-
-- fixed regression introduced Oct 10th which made Firefox crash
- when cancelling the KDE file dialog (boo#1069962)
-
--------------------------------------------------------------------
-Fri Dec 29 19:52:34 UTC 2017 - astieger@suse.com
-
-- Mozilla Firefox 57.0.3:
- * Fix a crash reporting issue that inadvertently sends background
- tab crash reports to Mozilla without user opt-in (bmo#1427111,
- bsc#1074235)
-- Includes changes from 57.0.2:
- * fixes for platforms other than GNU/Linux
-
--------------------------------------------------------------------
-Fri Dec 8 15:52:17 UTC 2017 - dimstar@opensuse.org
-
-- Explicitly buildrequires python2-xml: The build system relies on
- it. We wrongly relied on other packages pulling it in for us.
-
--------------------------------------------------------------------
-Thu Dec 7 11:12:31 UTC 2017 - dimstar@opensuse.org
-
-- Escape the usage of %{VERSION} when calling out to rpm.
- RPM 4.14 has %{VERSION} defined as 'the main packages version'.
-
--------------------------------------------------------------------
-Wed Nov 29 23:45:03 UTC 2017 - wr@rosenauer.org
-
-- update to Firefox 57.0.1
- * CVE-2017-7843: Web worker in Private Browsing mode can write
- IndexedDB data (bsc#1072034, bmo#1410106)
- * CVE-2017-7844: Visited history information leak through SVG
- image (bsc#1072036, bmo#1420001)
- * Fix a video color distortion issue on YouTube and other video
- sites with some AMD devices (bmo#1417442)
- * Fix an issue with prefs.js when the profile path has non-ascii
- characters (bmo#1420427)
-
--------------------------------------------------------------------
-Tue Nov 21 09:00:48 UTC 2017 - christophe@krop.fr
-
-- Add mozilla-bmo1360278.patch
- Starting with Firefox 57, the context menu appears on key press.
- This patch creates a config entry to restore the
- old behaviour. Without the patch, the mouse gesture extensions
- require 2 clicks to work (bmo#1360278).
- The new config entry is named ui.context_menus.after_mouseup
- (default : false).
-
--------------------------------------------------------------------
-Sat Nov 18 08:35:21 UTC 2017 - wr@rosenauer.org
-
-- Allow experimental CSD for Gtk3 (bmo#1399611) if available and enabled
- widget.allow-client-side-decoration=true
- (mozilla-bmo1399611-csd.patch)
-
--------------------------------------------------------------------
-Wed Nov 15 06:46:06 UTC 2017 - wr@rosenauer.org
-
-- update to Firefox 57.0 (boo#1068101)
- * Firefox Quantum
- * Photon UI
- * Unified address and search bar
- * AMD VP9 hardware video decoder support
- * Added support for Date/Time input
- * stricter security sandbox blocking filesystem reading and
- writing on Linux systems
- * middle mouse paste in the content area no longer navigates to
- URLs by default on Unix systems
- MFSA 2017-24
- * CVE-2017-7828 (bmo#1406750. bmo#1412252)
- Use-after-free of PressShell while restyling layout
- * CVE-2017-7830 (bmo#1408990)
- Cross-origin URL information leak through Resource Timing API
- * CVE-2017-7831 (bmo#1392026)
- Information disclosure of exposed properties on JavaScript proxy
- objects
- * CVE-2017-7832 (bmo#1408782)
- Domain spoofing through use of dotless 'i' character followed
- by accent markers
- * CVE-2017-7833 (bmo#1370497)
- Domain spoofing with Arabic and Indic vowel marker characters
- * CVE-2017-7834 (bmo#1358009)
- data: URLs opened in new tabs bypass CSP protections
- * CVE-2017-7835 (bmo#1402363)
- Mixed content blocking incorrectly applies with redirects
- * CVE-2017-7836 (bmo#1401339)
- Pingsender dynamically loads libcurl on Linux and OS X
- * CVE-2017-7837 (bmo#1325923)
- SVG loaded as <img> can use meta tags to set cookies
- * CVE-2017-7838 (bmo#1399540)
- Failure of individual decoding of labels in international domain
- names triggers punycode display of entire IDN
- * CVE-2017-7839 (bmo#1402896)
- Control characters before javascript: URLs defeats self-XSS
- prevention mechanism
- * CVE-2017-7840 (bmo#1366420)
- Exported bookmarks do not strip script elements from user-supplied
- tags
- * CVE-2017-7842 (bmo#1397064)
- Referrer Policy is not always respected for <link> elements
- * CVE-2017-7827
- Memory safety bugs fixed in Firefox 57
- * CVE-2017-7826
- Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5
-- requires NSPR 4.17, NSS 3.33 and rustc 1.19
-- rebased patches
-- added mozilla-bindgen-systemlibs.patch to allow stylo build
- with system libs (bmo#1341234)
-- removed mozilla-language.patch since the whole locale code
- changed in Firefox and is relying on ICU now
-- removed obsolete mozilla-ucontext.patch
-
--------------------------------------------------------------------
-Sat Oct 28 06:30:37 UTC 2017 - wr@rosenauer.org
-
-- update to Firefox 56.0.2
- * Disable Form Autofill completely on user request (bmo#1404531)
- * Fix for video-related crashes on Windows 7 (bmo#1409141)
- * Correct detection for 64-bit GSSAPI authentication (bmo#1409275)
- * Fix for shutdown crash (bmo#1404105)
-
--------------------------------------------------------------------
-Tue Oct 10 11:47:49 UTC 2017 - wr@rosenauer.org
-
-- update to Firefox 56.0.1
- * Block D3D11 when using Intel drivers on Windows 7 systems with
- partial AVX support (bmo#1403353)
- -> just to sync the version number
-- enable stylo for TW (requires LLVM >= 3.9)
-- queue KDE filepicker requests to avoid non-opening file dialogs
- happening in certain situations (contributed by Ignaz Forster)
-- the placeholder dot in KDE file dialog in case of empty filenames
- was removed, apparently not required (anymore)
- (contributed by Ignaz Forster)
-
--------------------------------------------------------------------
-Sun Oct 1 18:25:16 UTC 2017 - stefan.bruens@rwth-aachen.de
-
-- Correct plugin directory for aarch64 (boo#1061207). The wrapper
- script was not detecting aarch64 as a 64 bit architecture, thus
- used /usr/lib/browser-plugins/.
-
--------------------------------------------------------------------
-Sat Sep 30 20:10:50 UTC 2017 - zaitor@opensuse.org
-
-- Drop libgnomeui-devel, and replace it with pkgconfig(gconf-2.0),
- pkgconfig(gtk+-2.0), pkgconfig(gtk+-unix-print-2.0),
- pkgconfig(glib-2.0), pkgconfig(gobject-2.0) and
- pkgconfig(gdk-x11-2.0) BuildRequires, align with what configure
- looks for.
-
--------------------------------------------------------------------
-Thu Sep 28 08:28:29 UTC 2017 - wr@rosenauer.org
-
-- update to Firefox 56.0 (boo#1060445)
- * Firefox Screenshots
- * Find Options/Preferences more quickly with new search function
- * Media is no longer auto-played when opened in a background tab
- * Enable CSS Grid Layout View
- MFSA 2017-21
- * CVE-2017-7793 (bmo#1371889)
- Use-after-free with Fetch API
- * CVE-2017-7817 (bmo#1356596) (Android-only)
- Firefox for Android address bar spoofing through fullscreen mode
- * CVE-2017-7818 (bmo#1363723)
- Use-after-free during ARIA array manipulation
- * CVE-2017-7819 (bmo#1380292)
- Use-after-free while resizing images in design mode
- * CVE-2017-7824 (bmo#1398381)
- Buffer overflow when drawing and validating elements with ANGLE
- * CVE-2017-7805 (bmo#1377618) (fixed via NSS requirement)
- Use-after-free in TLS 1.2 generating handshake hashes
- * CVE-2017-7812 (bmo#1379842)
- Drag and drop of malicious page content to the tab bar can open locally stored files
- * CVE-2017-7814 (bmo#1376036)
- Blob and data URLs bypass phishing and malware protection warnings
- * CVE-2017-7813 (bmo#1383951)
- Integer truncation in the JavaScript parser
- * CVE-2017-7825 (bmo#1393624, bmo#1390980) (OSX-only)
- OS X fonts render some Tibetan and Arabic unicode characters as spaces
- * CVE-2017-7815 (bmo#1368981)
- Spoofing attack with modal dialogs on non-e10s installations
- * CVE-2017-7816 (bmo#1380597)
- WebExtensions can load about: URLs in extension UI
- * CVE-2017-7821 (bmo#1346515)
- WebExtensions can download and open non-executable files without user interaction
- * CVE-2017-7823 (bmo#1396320)
- CSP sandbox directive did not create a unique origin
- * CVE-2017-7822 (bmo#1368859)
- WebCrypto allows AES-GCM with 0-length IV
- * CVE-2017-7820 (bmo#1378207)
- Xray wrapper bypass with new tab and web console
- * CVE-2017-7811
- Memory safety bugs fixed in Firefox 56
- * CVE-2017-7810
- Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4
-- requires NSPR 4.16 and NSS 3.32.1
-- rebased patches
-
--------------------------------------------------------------------
-Thu Sep 28 07:53:13 UTC 2017 - dimstar@opensuse.org
-
-- Add alsa-devel BuildRequires: we care for ALSA support to be
- built and thus need to ensure we get the dependencies in place.
- In the past, alsa-devel was pulled in by accident: we
- buildrequire libgnome-devel. This required esound-devel and that
- in turn pulled in alsa-devel for us. libgnome is being fixed to
- no longer require esound-devel.
-
--------------------------------------------------------------------
-Mon Sep 4 18:27:44 UTC 2017 - wr@rosenauer.org
-
-- update to Firefox 55.0.3
- * Fix an issue with addons when using a path containing non-ascii
- characters (bmo#1389160)
- * Fix file uploads to some websites, including YouTube (bmo#1383518)
-- fix Google API key build integration
-- add mozilla-ucontext.patch to fix Tumbleweed build
-- do not enable XINPUT2 for now (boo#1053959)
-
--------------------------------------------------------------------
-Fri Aug 11 08:32:30 UTC 2017 - wr@rosenauer.org
-
-- update to Firefox 55.0.1
- * Fix a regression the tab restoration process (bmo#1388160)
- * Fix a problem causing What's new pages not to be displayed (bmo#1386224)
- * Fix a rendering issue with some PKCS#11 libraries (bmo#1388370)
- * Disable the predictor prefetch (bmo#1388160)
-
--------------------------------------------------------------------
-Sat Aug 5 13:22:16 UTC 2017 - wr@rosenauer.org
-
-- update to Firefox 55.0 (boo#1052829)
- * Browsing sessions with a high number of tabs are now restored
- in an instant
- * Sidebar (bookmarks, history, synced tabs) can now be moved to
- the right edge of the window
- * Fine-tune your browser performance from the Preferences/Options page.
- * Make screenshots of webpages, and save them locally or upload
- them to the cloud. This feature will undergo A/B testing and
- will not be visible for some users.
- * Added Belarusian (be) locale
- * Simplify print jobs from within print preview
- * Use virtual reality devices with the web with the introduction
- of WebVR
- * Search suggestions are now enabled by default for users who
- haven't explicitly opted-out
- * Search with any installed search engine directly from the
- location bar
- * IMPORTANT: Breaking profile changes - do not downgrade Firefox
- and use a profile that has been opened with Firefox 55+.
- * The Adobe Flash plugin is now click-to-activate by default and
- only allowed on http:// and https:// URL schemes. This change
- will be rolled out progressively and so will not be visible to
- all users immediately. For more information see the Firefox
- plugin roadmap
- * Modernized application update UI to be less intrusive and more
- aligned with the rest of the browser. Only users who have not
- restarted their browser 8 days after downloading an update or
- users who opted out of automatic updates will see this change.
- * Insecure sites can no longer access the Geolocation APIs to get
- access to your physical location
- * requires NSPR 4.15 and NSS 3.31
- MFSA 2017-18
- * CVE-2017-7798 (bmo#1371586, bmo#1372112)
- XUL injection in the style editor in devtools
- * CVE-2017-7800 (bmo#1374047)
- Use-after-free in WebSockets during disconnection
- * CVE-2017-7801 (bmo#1371259)
- Use-after-free with marquee during window resizing
- * CVE-2017-7809 (bmo#1380284)
- Use-after-free while deleting attached editor DOM node
- * CVE-2017-7784 (bmo#1376087)
- Use-after-free with image observers
- * CVE-2017-7802 (bmo#1378147)
- Use-after-free resizing image elements
- * CVE-2017-7785 (bmo#1356985)
- Buffer overflow manipulating ARIA attributes in DOM
- * CVE-2017-7786 (bmo#1365189)
- Buffer overflow while painting non-displayable SVG
- * CVE-2017-7806 (bmo#1378113)
- Use-after-free in layer manager with SVG
- * CVE-2017-7753 (bmo#1353312)
- Out-of-bounds read with cached style data and pseudo-elements#
- * CVE-2017-7787 (bmo#1322896)
- Same-origin policy bypass with iframes through page reloads
- * CVE-2017-7807 (bmo#1376459)
- Domain hijacking through AppCache fallback
- * CVE-2017-7792 (bmo#1368652)
- Buffer overflow viewing certificates with an extremely long OID
- * CVE-2017-7804 (bmo#1372849)
- Memory protection bypass through WindowsDllDetourPatcher
- * CVE-2017-7791 (bmo#1365875)
- Spoofing following page navigation with data: protocol and modal alerts
- * CVE-2017-7808 (bmo#1367531)
- CSP information leak with frame-ancestors containing paths
- * CVE-2017-7782 (bmo#1344034)
- WindowsDllDetourPatcher allocates memory without DEP protections
- * CVE-2017-7781 (bmo#1352039)
- Elliptic curve point addition error when using mixed Jacobian-affine coordinates
- * CVE-2017-7794 (bmo#1374281)
- Linux file truncation via sandbox broker
- * CVE-2017-7803 (bmo#1377426)
- CSP containing 'sandbox' improperly applied
- * CVE-2017-7799 (bmo#1372509)
- Self-XSS XUL injection in about:webrtc
- * CVE-2017-7783 (bmo#1360842)
- DOS attack through long username in URL
- * CVE-2017-7788 (bmo#1073952)
- Sandboxed about:srcdoc iframes do not inherit CSP directives
- * CVE-2017-7789 (bmo#1074642)
- Failure to enable HSTS when two STS headers are sent for a connection
- * CVE-2017-7790 (bmo#1350460) (Windows-only)
- Windows crash reporter reads extra memory for some non-null-terminated registry values
- * CVE-2017-7796 (bmo#1234401) (Windows-only)
- Windows updater can delete any file named update.log
- * CVE-2017-7797 (bmo#1334776)
- Response header name interning leaks across origins
- * CVE-2017-7780
- Memory safety bugs fixed in Firefox 55
- * CVE-2017-7779
- Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3
-- updated mozilla-kde.patch:
- * removed "downloadfinished" alert as Firefox reimplemented the
- whole thing (TODO: check if there is another function we should
- hook in)
-
--------------------------------------------------------------------
-Tue Jul 4 20:08:47 UTC 2017 - wr@rosenauer.org
-
-- update to Firefox 54.0.1
- * Fix a display issue of tab title (bmo#1357656)
- * Fix a display issue of opening new tab (bmo#1371995)
- * Fix a display issue when opening multiple tabs (bmo#1371962)
- * Fix a tab display issue when downloading files (bmo#1373109)
- * Fix a PDF printing issue (bmo#1366744)
- * Fix a Netflix issue on Linux (bmo#1375708)
-
--------------------------------------------------------------------
-Thu Jun 15 13:56:05 UTC 2017 - wr@rosenauer.org
-
-- update to Firefox 54.0
- * Clearer and more detailed information for download items in the
- download panel
- * Added Burmese (my) locale
- * Bookmarks created on mobile devices are now shown in
- "Mobile Bookmarks” folder in the drop down list from the toolbar
- and Bookmarks option in the menu bar in Desktop Firefox
- * added support for multiple content processes (e10s-multi)
-- requires NSPR 4.14 and NSS 3.30.2
-- requires rust 1.15.1
-- removed mozilla-shared-nss-db.patch as it seems to be a rather
- unused feature
-
--------------------------------------------------------------------
-Thu Jun 1 04:25:05 UTC 2017 - kah0922@gmail.com
-
-- remove -fno-inline-small-functions and explicitely optimize with
- -O2 for openSUSE > 13.2/Leap 42 to work with gcc7 (boo#1040105)
-
--------------------------------------------------------------------
-Wed Apr 26 12:37:38 UTC 2017 - wr@rosenauer.org
-
-- switch to Mozilla's geolocation service (boo#1026989)
-- removed mozilla-preferences.patch obsoleted by overriding via
- firefox.js
-- fixed KDE integration to avoid crash caused by filepicker
- (boo#1015998)
-
--------------------------------------------------------------------
-Mon Apr 17 12:52:10 UTC 2017 - wr@rosenauer.org
-
-- update to Firefox 53.0
- * requires NSS 3.29.5
- * Lightweight themes are now applied in private browsing windows
- * Reader Mode now displays estimated reading time for the page
- * Two new 'compact' themes available in Firefox, dark and light,
- based on the Firefox Developer Edition theme
- * Ended Firefox Linux support for processors older than Pentium 4
- and AMD Opteron
- * Refresh of the media controls user interface
- * Shortened titles on tabs are faded out instead of using ellipsis
- for improved readability
- * Media playback on new tabs is blocked until the tab is visible
- * Permission notifications have a cleaner design and cannot be
- easily missed
- MFSA 2017-10
- * CVE-2017-5456 (bmo#1344415)
- Sandbox escape allowing local file system access
- * CVE-2017-5442 (bmo#1347979)
- Use-after-free during style changes
- * CVE-2017-5443 (bmo#1342661)
- Out-of-bounds write during BinHex decoding
- * CVE-2017-5429 (bmo#1341096, bmo#1342823, bmo#1343261, bmo#1348894,
- bmo#1348941, bmo#1349340, bmo#1350844, bmo#1352926, bmo#1353088)
- Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and
- Firefox ESR 52.1
- * CVE-2017-5464 (bmo#1347075)
- Memory corruption with accessibility and DOM manipulation
- * CVE-2017-5465 (bmo#1347617)
- Out-of-bounds read in ConvolvePixel
- * CVE-2017-5466 (bmo#1353975)
- Origin confusion when reloading isolated data:text/html URL
- * CVE-2017-5467 (bmo#1347262)
- Memory corruption when drawing Skia content
- * CVE-2017-5460 (bmo#1343642)
- Use-after-free in frame selection
- * CVE-2017-5461 (bmo#1344380)
- Out-of-bounds write in Base64 encoding in NSS
- * CVE-2017-5448 (bmo#1346648)
- Out-of-bounds write in ClearKeyDecryptor
- * CVE-2017-5449 (bmo#1340127)
- Crash during bidirectional unicode manipulation with animation
- * CVE-2017-5446 (bmo#1343505)
- Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data
- * CVE-2017-5447 (bmo#1343552)
- Out-of-bounds read during glyph processing
- * CVE-2017-5444 (bmo#1344461)
- Buffer overflow while parsing application/http-index-format content
- * CVE-2017-5445 (bmo#1344467)
- Uninitialized values used while parsing application/http-index-format
- content
- * CVE-2017-5468 (bmo#1329521)
- Incorrect ownership model for Private Browsing information
- * CVE-2017-5469 (bmo#1292534)
- Potential Buffer overflow in flex-generated code
- * CVE-2017-5440 (bmo#1336832)
- Use-after-free in txExecutionState destructor during XSLT processing
- * CVE-2017-5441 (bmo#1343795)
- Use-after-free with selection during scroll events
- * CVE-2017-5439 (bmo#1336830)
- Use-after-free in nsTArray Length() during XSLT processing
- * CVE-2017-5438 (bmo#1336828)
- Use-after-free in nsAutoPtr during XSLT processing
- * CVE-2017-5437 (bmo#1343453)
- Vulnerabilities in Libevent library
- * CVE-2017-5436 (bmo#1345461)
- Out-of-bounds write with malicious font in Graphite 2
- * CVE-2017-5435 (bmo#1350683)
- Use-after-free during transaction processing in the editor
- * CVE-2017-5434 (bmo#1349946)
- Use-after-free during focus handling
- * CVE-2017-5433 (bmo#1347168)
- Use-after-free in SMIL animation functions
- * CVE-2017-5432 (bmo#1346654)
- Use-after-free in text input selection
- * CVE-2017-5430 (bmo#1329796, bmo#1337418, bmo#1339722, bmo#1340482,
- bmo#1342101, bmo#1344081, bmo#1344305, bmo#1344686,
- bmo#1346140, bmo#1346419, bmo#1348143, bmo#1349621,
- bmo#1349719, bmo#1353476)
- Memory safety bugs fixed in Firefox 53 and Firefox ESR 52.1
- * CVE-2017-5459 (bmo#1333858)
- Buffer overflow in WebGL
- * CVE-2017-5458 (bmo#1229426)
- Drag and drop of javascript: URLs can allow for self-XSS
- * CVE-2017-5455 (bmo#1341191)
- Sandbox escape through internal feed reader APIs
- * CVE-2017-5454 (bmo#1349276)
- Sandbox escape allowing file system read access through file picker
- * CVE-2017-5451 (bmo#1273537)
- Addressbar spoofing with onblur event
- * CVE-2017-5453 (bmo#1321247)
- HTML injection into RSS Reader feed preview page through
- TITLE element
- * CVE-2017-5462 (bmo#1345089)
- DRBG flaw in NSS
-- removed browser(npapi) provides as these plugins are deprecated
-- switch used compiler to gcc5 (FF requires gcc >= 4.9 now) for
- Leap 42
-- Gtk2 is not longer an option; switched to Gtk3
-- apply MOZ_USE_XINPUT2=1 for better touchpad and touchscreen support
- (boo#1032003)
-
--------------------------------------------------------------------
-Mon Apr 3 06:16:26 UTC 2017 - wr@rosenauer.org
-
-- update to Firefox 52.0.2
- * Use Nirmala UI as fallback font for additional Indic languages (bmo#1342787)
- * Fix loading tab icons on session restore (bmo#1338009)
- * Fix a crash on startup on Linux (bmo#1345413)
- * Fix new installs erroneously not prompting to change the default
- browser setting (bmo#1343938)
-
--------------------------------------------------------------------
-Mon Mar 20 15:35:57 UTC 2017 - wr@rosenauer.org
-
-- disable rust usage for everything but x86(-64)
-- explicitely add libffi build requirement
-
--------------------------------------------------------------------
-Fri Mar 17 15:43:29 UTC 2017 - wr@rosenauer.org
-
-- update to Firefox 52.0.1 (boo#1029822)
- MFSA 2017-08
- CVE-2017-5428: integer overflow in createImageBitmap() (bmo#1348168)
-
--------------------------------------------------------------------
-Thu Mar 9 12:30:14 UTC 2017 - wr@rosenauer.org
-
-- reenable ALSA support which was removed by default upstream
-
--------------------------------------------------------------------
-Sat Mar 4 16:57:45 UTC 2017 - wr@rosenauer.org
-
-- update to Firefox 52.0 (boo#1028391)
- * requires NSS >= 3.28.3
- * Pages containing insecure password fields now display a warning
- directly within username and password fields.
- * Send and open a tab from one device to another with Sync
- * Removed NPAPI support for plugins other than Flash. Silverlight,
- Java, Acrobat and the like are no longer supported.
- * Removed Battery Status API to reduce fingerprinting of users by
- trackers
- * MFSA 2017-05
- CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP
- (bmo#1334933)
- CVE-2017-5401: Memory Corruption when handling ErrorResult
- (bmo#1328861)
- CVE-2017-5402: Use-after-free working with events in FontFace
- objects (bmo#1334876)
- CVE-2017-5403: Use-after-free using addRange to add range to an
- incorrect root object (bmo#1340186)
- CVE-2017-5404: Use-after-free working with ranges in selections
- (bmo#1340138)
- CVE-2017-5406: Segmentation fault in Skia with canvas operations
- (bmo#1306890)
- CVE-2017-5407: Pixel and history stealing via floating-point
- timing side channel with SVG filters (bmo#1336622)
- CVE-2017-5410: Memory corruption during JavaScript garbage
- collection incremental sweeping (bmo#1330687)
- CVE-2017-5408: Cross-origin reading of video captions in violation
- of CORS (bmo#1313711)
- CVE-2017-5412: Buffer overflow read in SVG filters (bmo#1328323)
- CVE-2017-5413: Segmentation fault during bidirectional operations
- (bmo#1337504)
- CVE-2017-5414: File picker can choose incorrect default directory
- (bmo#1319370)
- CVE-2017-5415: Addressbar spoofing through blob URL (bmo#1321719)
- CVE-2017-5416: Null dereference crash in HttpChannel (bmo#1328121)
- CVE-2017-5417: Addressbar spoofing by draging and dropping URLs
- (bmo#791597)
- CVE-2017-5426: Gecko Media Plugin sandbox is not started if
- seccomp-bpf filter is running (bmo#1257361)
- CVE-2017-5427: Non-existent chrome.manifest file loaded during
- startup (bmo#1295542)
- CVE-2017-5418: Out of bounds read when parsing HTTP digest
- authorization responses (bmo#1338876)
- CVE-2017-5419: Repeated authentication prompts lead to DOS
- attack (bmo#1312243)
- CVE-2017-5420: Javascript: URLs can obfuscate addressbar
- location (bmo#1284395)
- CVE-2017-5405: FTP response codes can cause use of
- uninitialized values for ports (bmo#1336699)
- CVE-2017-5421: Print preview spoofing (bmo#1301876)
- CVE-2017-5422: DOS attack by using view-source: protocol
- repeatedly in one hyperlink (bmo#1295002)
- CVE-2017-5399: Memory safety bugs fixed in Firefox 52
- CVE-2017-5398: Memory safety bugs fixed in Firefox 52 and
- Firefox ESR 45.8
-- removed obsolete patches
- * mozilla-binutils-visibility.patch
- * mozilla-check_return.patch
- * mozilla-disable-skia-be.patch
- * mozilla-skia-overflow.patch
- * mozilla-skia-ppc-endianess.patch
-- rebased patches
-- enable rust usage for Tumbleweed
-
--------------------------------------------------------------------
-Fri Jan 27 20:25:59 UTC 2017 - astieger@suse.com
-
-- Mozilla Firefox 51.0.1:
- - Multiprocess incompatibility did not correctly register with
- some add-ons (bmo#1333423)
-
--------------------------------------------------------------------
-Fri Jan 20 13:57:56 UTC 2017 - wr@rosenauer.org
-
-- update to Firefox 51.0
- * requires NSPR >= 4.13.1, NSS >= 3.28.1
- * Added support for FLAC (Free Lossless Audio Codec) playback
- * Added support for WebGL 2
- * Added Georgian (ka) and Kabyle (kab) locales
- * Support saving passwords for forms without 'submit' events
- * Improved video performance for users without GPU acceleration
- * Zoom indicator is shown in the URL bar if the zoom level is not
- at default level
- * View passwords from the prompt before saving them
- * Remove Belarusian (be) locale
- * Use Skia for content rendering (Linux)
- * MFSA 2017-01
- CVE-2017-5375: Excessive JIT code allocation allows bypass of
- ASLR and DEP (bmo#1325200, boo#1021814)
- CVE-2017-5376: Use-after-free in XSL (bmo#1311687, boo#1021817)
- CVE-2017-5377: Memory corruption with transforms to create
- gradients in Skia (bmo#1306883, boo#1021826)
- CVE-2017-5378: Pointer and frame data leakage of Javascript objects
- (bmo#1312001, bmo#1330769, boo#1021818)
- CVE-2017-5379: Use-after-free in Web Animations
- (bmo#1309198,boo#1021827)
- CVE-2017-5380: Potential use-after-free during DOM manipulations
- (bmo#1322107, boo#1021819)
- CVE-2017-5390: Insecure communication methods in Developer Tools
- JSON viewer (bmo#1297361, boo#1021820)
- CVE-2017-5389: WebExtensions can install additional add-ons via
- modified host requests (bmo#1308688, boo#1021828)
- CVE-2017-5396: Use-after-free with Media Decoder
- (bmo#1329403, boo#1021821)
- CVE-2017-5381: Certificate Viewer exporting can be used to navigate
- and save to arbitrary filesystem locations
- (bmo#1017616, boo#1021830)
- CVE-2017-5382: Feed preview can expose privileged content errors
- and exceptions (bmo#1295322, boo#1021831)
- CVE-2017-5383: Location bar spoofing with unicode characters
- (bmo#1323338, bmo#1324716, boo#1021822)
- CVE-2017-5384: Information disclosure via Proxy Auto-Config (PAC)
- (bmo#1255474, boo#1021832)
- CVE-2017-5385: Data sent in multipart channels ignores referrer-policy
- response headers (bmo#1295945, boo#1021833)
- CVE-2017-5386: WebExtensions can use data: protocol to affect other
- extensions (bmo#1319070, boo#1021823)
- CVE-2017-5394: Android location bar spoofing using fullscreen and
- JavaScript events (bmo#1222798)
- CVE-2017-5391: Content about: pages can load privileged about: pages
- (bmo#1309310, boo#1021835)
- CVE-2017-5392: Weak references using multiple threads on weak proxy
- objects lead to unsafe memory usage (bmo#1293709)
- (Android only)
- CVE-2017-5393: Remove addons.mozilla.org CDN from whitelist for
- mozAddonManager (bmo#1309282, boo#1021837)
- CVE-2017-5395: Android location bar spoofing during scrolling
- (bmo#1293463) (Android only)
- CVE-2017-5387: Disclosure of local file existence through TRACK
- tag error messages (bmo#1295023, boo#1021839)
- CVE-2017-5388: WebRTC can be used to generate a large amount of
- UDP traffic for DDOS attacks
- (bmo#1281482, boo#1021840)
- CVE-2017-5374: Memory safety bugs fixed in Firefox 51 (boo#1021841)
- CVE-2017-5373: Memory safety bugs fixed in Firefox 51 and
- Firefox ESR 45.7 (boo#1021824)
-- switch Firefox to Gtk3 for Tumbleweed
-- removed obsolete patches
- * mozilla-flex_buffer_overrun.patch
-- updated RPM locale support tag
-- improve recognition of LANGUAGE env variable (boo#1017174)
-- add upstream patch to fix PPC64LE (bmo#1319389)
- (mozilla-skia-ppc-endianess.patch)
-- fix build without skia (big endian archs) (bmo#1319374)
- (mozilla-disable-skia-be.patch)
-
--------------------------------------------------------------------
-Mon Dec 12 21:18:41 UTC 2016 - wr@rosenauer.org
-
-- update to Firefox 50.1.0 (boo#1015422)
- * MFSA 2016-94
- CVE-2016-9894: Buffer overflow in SkiaGL (bmo#1306628)
- CVE-2016-9899: Use-after-free while manipulating DOM events and
- audio elements (bmo#1317409)
- CVE-2016-9895: CSP bypass using marquee tag (bmo#1312272)
- CVE-2016-9896: Use-after-free with WebVR (bmo#1315543)
- CVE-2016-9897: Memory corruption in libGLES (bmo#1301381)
- CVE-2016-9898: Use-after-free in Editor while manipulating
- DOM subtrees (bmo#1314442)
- CVE-2016-9900: Restricted external resources can be loaded by
- SVG images through data URLs (bmo#1319122)
- CVE-2016-9904: Cross-origin information leak in shared atoms
- (bmo#1317936)
- CVE-2016-9901: Data from Pocket server improperly sanitized
- before execution (bmo#1320057)
- CVE-2016-9902: Pocket extension does not validate the origin
- of events (bmo#1320039)
- CVE-2016-9903: XSS injection vulnerability in add-ons SDK
- (bmo#1315435)
- CVE-2016-9080: Memory safety bugs fixed in Firefox 50.1
- CVE-2016-9893: Memory safety bugs fixed in Firefox 50.1 and
- Firefox ESR 45.6
-
--------------------------------------------------------------------
-Fri Dec 9 17:57:22 UTC 2016 - cgrobertson@novell.com
-
-- added patch mozilla-aarch64-startup-crash.patch (bsc#1011922)
-
--------------------------------------------------------------------
-Thu Dec 1 02:49:45 UTC 2016 - wr@rosenauer.org
-
-- update to Firefox 50.0.2
- * Firefox crashes with 3rd party Chinese IME when using IME text
- (50.0.1)
- security fixes (in 50.0.1): (boo#1012807)
- * MFSA 2016-91
- CVE-2016-9078: data: URL can inherit wrong origin after an
- HTTP redirect (bmo#1317641)
- security fixes (in 50.0.2) (boo#1012964)
- * MFSA 2016-92
- CVE-2016-9079: Use-after-free in SVG Animation (bmo#1321066)
-
--------------------------------------------------------------------
-Mon Nov 14 21:07:03 UTC 2016 - wr@rosenauer.org
-
-- update to Firefox 50.0 (boo#1009026)
- * requires NSS 3.26.2
- new features
- * Updates to keyboard shortcuts
- Set a preference to have Ctrl+Tab cycle through tabs in recently
- used order
- View a page in Reader Mode by using Ctrl+Alt+R
- * Added option to Find in page that allows users to limit search to
- whole words only
- * Added download protection for a large number of executable file
- types on Windows, Mac and Linux
- * Fixed rendering of dashed and dotted borders with rounded corners
- (border-radius)
- * Added a built-in Emoji set for operating systems without native
- Emoji fonts (Windows 8.0 and lower and Linux)
- * Blocked versions of libavcodec older than 54.35.1
- * additional locale
- security fixes:
- * MFSA 2016-89
- CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1
- (bmo#1292443)
- CVE-2016-5292: URL parsing causes crash (bmo#1288482)
- CVE-2016-5293: Write to arbitrary file with updater and moz
- maintenance service using updater.log hardlink
- (Windows only) (bmo#1246945)
- CVE-2016-5294: Arbitrary target directory for result files of
- update process (Windows only) (bmo#1246972)
- CVE-2016-5297: Incorrect argument length checking in Javascript
- (bmo#1303678)
- CVE-2016-9064: Addons update must verify IDs match between
- current and new versions (bmo#1303418)
- CVE-2016-9065: Firefox for Android location bar spoofing usingfullscreen
- (Android only) (bmo#1306696)
- CVE-2016-9066: Integer overflow leading to a buffer overflow in
- nsScriptLoadHandler (bmo#1299686)
- CVE-2016-9067: heap-use-after-free in nsINode::ReplaceOrInsertBefore
- (bmo#1301777, bmo#1308922 (CVE-2016-9069))
- CVE-2016-9068: heap-use-after-free in nsRefreshDriver (bmo#1302973)
- CVE-2016-9072: 64-bit NPAPI sandbox isn't enabled on fresh profile
- (bmo#1300083) (Windows only)
- CVE-2016-9075: WebExtensions can access the mozAddonManager API
- and use it to gain elevated privileges (bmo#1295324)
- CVE-2016-9077: Canvas filters allow feDisplacementMaps to be applied
- to cross-origin images, allowing timing attacks on them
- (bmo#1298552)
- CVE-2016-5291: Same-origin policy violation using local HTML file
- and saved shortcut file (bmo#1292159)
- CVE-2016-5295: Mozilla Maintenance Service: Ability to read
- arbitrary files as SYSTEM (Windows only) (bmo#1247239)
- CVE-2016-5298: SSL indicator can mislead the user about the real
- URL visited (bmo#1227538) (Android only)
- CVE-2016-5299: Firefox AuthToken in broadcast protected with
- signature-level permission can be accessed by an
- application installed beforehand that defines the
- same permissions (bmo#1245791) (Android only)
- CVE-2016-9061: API Key (glocation) in broadcast protected with
- signature-level permission can be accessed by an
- application installed beforehand that defines the
- same permissions (Android only) (bmo#1245795)
- CVE-2016-9062: Private browsing browser traces (android) in
- browser.db and wal file (Android only) (bmo#1294438)
- CVE-2016-9070: Sidebar bookmark can have reference to chrome window
- (bmo#1281071)
- CVE-2016-9073: windows.create schema doesn't specify "format": "relativeUrl"
- (bmo#1289273)
- CVE-2016-9074: Insufficient timing side-channel resistance in
- divSpoiler (bmo#1293334) (fixed via NSS 3.26.1)
- CVE-2016-9076: select dropdown menu can be used for URL bar
- spoofing on e10s (bmo#1276976)
- CVE-2016-9063: Possible integer overflow to fix inside XML_Parse
- in expat (bmo#1274777)
- CVE-2016-9071: Probe browser history via HSTS/301 redirect + CSP
- (bmo#1285003)
- CVE-2016-5289: Memory safety bugs fixed in Firefox 50
- CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5
-- make aarch64 build more similar to x86_64 build (remove conditionals
- that don't seem to be necessary anymore)
-
--------------------------------------------------------------------
-Mon Oct 24 09:41:17 UTC 2016 - astieger@suse.com
-
-- Mozilla Firefox 49.0.2:
- * CVE-2016-5287: Crash in nsTArray_base (bsc#1006475)
- * CVE-2016-5288: Web content can read cache entries (bsc#1006476)
- * Asynchronous rendering of the Flash plugins is now enabled by
- default
- * Change D3D9 default fallback preference to prevent graphical
- artifacts
- * Network issue prevents some users from seeing the Firefox UI on
- startup
- * Web compatibility issue with file uploads
- * Web compatibility issue with Array.prototype.values
- * Diagnostic information on timing for tab switching
- * Fix a Canvas filters graphics issue affecting HTML5 apps
-
--------------------------------------------------------------------
-Wed Oct 12 20:42:28 UTC 2016 - badshah400@gmail.com
-
-- Drop mozilla-gtk3_20.patch; obsoleted by Firefox version 49.0
- and fixes have been incorporated by upstream.
-
--------------------------------------------------------------------
-Fri Sep 23 20:36:39 UTC 2016 - astieger@suse.com
-
-- Mozilla Firefox 49.0.1:
- * Mitigate a startup crash issue caused by Websense - bmo#1304783
-
--------------------------------------------------------------------
-Tue Sep 20 07:09:52 UTC 2016 - wr@rosenauer.org
-
-- update to Firefox 49.0 (boo#999701)
- new features
- * Updated Firefox Login Manager to allow HTTPS pages to use saved
- HTTP logins.
- * Added features to Reader Mode that make it easier on the eyes and
- the ears
- * Improved video performance for users on systems that support
- SSE3 without hardware acceleration
- * Added context menu controls to HTML5 audio and video that let users
- loops files or play files at 1.25x speed
- * Improvements in about:memory reports for tracking font memory usage
- security related
- * MFSA 2016-85
- CVE-2016-2827 (bmo#1289085) - Out-of-bounds read in
- mozilla::net::IsValidReferrerPolicy
- CVE-2016-5270 (bmo#1291016) - Heap-buffer-overflow in
- nsCaseTransformTextRunFactory::TransformString
- CVE-2016-5271 (bmo#1288946) - Out-of-bounds read in
- PropertyProvider::GetSpacingInternal
- CVE-2016-5272 (bmo#1297934) - Bad cast in nsImageGeometryMixin
- CVE-2016-5273 (bmo#1280387) - crash in
- mozilla::a11y::HyperTextAccessible::GetChildOffset
- CVE-2016-5276 (bmo#1287721) - Heap-use-after-free in
- mozilla::a11y::DocAccessible::ProcessInvalidationList
- CVE-2016-5274 (bmo#1282076) - use-after-free in
- nsFrameManager::CaptureFrameState
- CVE-2016-5277 (bmo#1291665) - Heap-use-after-free in nsRefreshDriver::Tick
- CVE-2016-5275 (bmo#1287316) - global-buffer-overflow in
- mozilla::gfx::FilterSupport::ComputeSourceNeededRegions
- CVE-2016-5278 (bmo#1294677) - Heap-buffer-overflow in
- nsBMPEncoder::AddImageFrame
- CVE-2016-5279 (bmo#1249522) - Full local path of files is available
- to web pages after drag and drop
- CVE-2016-5280 (bmo#1289970) - Use-after-free in
- mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap
- CVE-2016-5281 (bmo#1284690) - use-after-free in DOMSVGLength
- CVE-2016-5282 (bmo#932335) - Don't allow content to request favicons
- from non-whitelisted schemes
- CVE-2016-5283 (bmo#928187) - <iframe src> fragment timing attack can
- reveal cross-origin data
- CVE-2016-5284 (bmo#1303127) - Add-on update site certificate pin expiration
- CVE-2016-5256 - Memory safety bugs fixed in Firefox 49
- CVE-2016-5257 - Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4
-- removed obsolete patches:
- * mozilla-aarch64-48bit-va.patch
- * mozilla-exclude-nametablecpp.patch
- * mozilla-old_configure-bmo1282843.patch
-- added patch mozilla-skia-overflow.patch (bmo#1304114)
-- requires NSS 3.25
-
--------------------------------------------------------------------
-Tue Aug 30 20:25:38 UTC 2016 - astieger@suse.com
-
-- Mozilla Firefox 48.0.2:
- * Mitigate a startup crash issue caused on Windows (bmo#1291738)
-
--------------------------------------------------------------------
-Sat Aug 20 10:58:26 UTC 2016 - astieger@suse.com
-
-- Mozilla Firefox 48.0.1:
- * Fix an audio regression impacting some major websites
- (bmo#1295296)
- * Fix a top crash in the JavaScript engine (bmo#1290469)
- * Fix a startup crash issue caused by Websense (bmo#1291738)
- * Fix a different behavior with e10s / non-e10s on <select> and
- mouse events (bmo#1291078)
- * Fix a top crash caused by plugin issues (bmo#1264530)
- * Fix a shutdown issue (bmo#1276920)
- * Fix a crash in WebRTC
-
--------------------------------------------------------------------
-Mon Aug 15 11:24:00 UTC 2016 - wr@rosenauer.org
-
-- added upstream patch so system plugins/extensions are correctly
- loaded again on x86-64 (bmo#1282843)
- (mozilla-old_configure-bmo1282843.patch)
-
--------------------------------------------------------------------
-Fri Aug 5 13:47:12 UTC 2016 - pcerny@suse.com
-
-- Fix for possible buffer overrun (bsc#990856)
- CVE-2016-6354 (bmo#1292534)
- [mozilla-flex_buffer_overrun.patch]
-
--------------------------------------------------------------------
-Wed Aug 3 03:38:47 UTC 2016 - badshah400@gmail.com
-
-- Update mozilla-gtk3_20.patch to latest version from Fedora.
-
--------------------------------------------------------------------
-Mon Aug 1 12:37:05 UTC 2016 - wr@rosenauer.org
-
-- update to Firefox 48.0 (boo#991809)
- * requires NSS 3.24
- * Process separation (e10s) is enabled for some of you
- * Add-ons that have not been verified and signed by Mozilla will not load
- * WebRTC embetterments
- * The media parser has been redeveloped using the Rust programming
- language
- * better Canvas performance with speedy Skia support
- security fixes:
- * MFSA 2016-62/CVE-2016-2835/CVE-2016-2836
- Miscellaneous memory safety hazards
- * MFSA 2016-63/CVE-2016-2830 (bmo#1255270)
- Favicon network connection can persist when page is closed
- * MFSA 2016-64/CVE-2016-2838 (bmo#1279814)
- Buffer overflow rendering SVG with bidirectional content
- * MFSA 2016-65/CVE-2016-2839 (bmo#1275339)
- Cairo rendering crash due to memory allocation issue with FFmpeg 0.10
- * MFSA 2016-66/CVE-2016-5251 (bmo#1255570)
- Location bar spoofing via data URLs with malformed/invalid mediatypes
- * MFSA 2016-67/CVE-2016-5252 (bmo#1268854)
- Stack underflow during 2D graphics rendering
- * MFSA 2016-68/CVE-2016-0718 (bmo#1236923)
- Out-of-bounds read during XML parsing in Expat library
- * MFSA 2016-69/CVE-2016-5253 (bmo#1246944)
- Arbitrary file manipulation by local user through Mozilla updater
- and callback application path parameter (Windows-only)
- * MFSA 2016-70/CVE-2016-5254 (bmo#1266963)
- Use-after-free when using alt key and toplevel menus
- * MFSA 2016-71/CVE-2016-5255 (bmo#1212356)
- Crash in incremental garbage collection in JavaScript
- * MFSA 2016-72/CVE-2016-5258 (bmo#1279146)
- Use-after-free in DTLS during WebRTC session shutdown
- * MFSA 2016-73/CVE-2016-5259 (bmo#1282992)
- Use-after-free in service workers with nested sync events
- * MFSA 2016-74/CVE-2016-5260 (bmo#1280294)
- Form input type change from password to text can store plain
- text password in session restore file
- * MFSA 2016-75/CVE-2016-5261 (bmo#1287266)
- Integer overflow in WebSockets during data buffering
- * MFSA 2016-76/CVE-2016-5262 (bmo#1277475)
- Scripts on marquee tag can execute in sandboxed iframes
- * MFSA 2016-77/CVE-2016-2837 (bmo#1274637)
- Buffer overflow in ClearKey Content Decryption Module (CDM)
- during video playback
- * MFSA 2016-78/CVE-2016-5263 (bmo#1276897)
- Type confusion in display transformation
- * MFSA 2016-79/CVE-2016-5264 (bmo#1286183)
- Use-after-free when applying SVG effects
- * MFSA 2016-80/CVE-2016-5265 (bmo#1278013)
- Same-origin policy violation using local HTML file and saved shortcut file
- * MFSA 2016-81/CVE-2016-5266 (bmo#1226977)
- Information disclosure and local file manipulation through drag and drop
- * MFSA 2016-82/CVE-2016-5267 (bmo#1284372)
- Addressbar spoofing with right-to-left characters on Firefox for Android
- (Android only)
- * MFSA 2016-83/CVE-2016-5268 (bmo#1253673)
- Spoofing attack through text injection into internal error pages
- * MFSA 2016-84/CVE-2016-5250 (bmo#1254688)
- Information disclosure through Resource Timing API during page navigation
-- removed obsolete mozilla-gcc6.patch
-
--------------------------------------------------------------------
-Fri Jul 29 01:26:13 UTC 2016 - badshah400@gmail.com
-
-- Update description and screenshots in appdata.xml file.
-
--------------------------------------------------------------------
-Sat Jul 23 20:13:08 UTC 2016 - antoine.belvire@laposte.net
-
-- Fix Firefox crash on startup on i586 (boo#986541):
- * Add -fno-delete-null-pointer-checks and
- -fno-inline-small-functions to CFLAGS
-
--------------------------------------------------------------------
-Tue Jul 19 20:12:11 UTC 2016 - mailaender@opensuse.org
-
-- Update the appdata.xml file (replace Windows XP screenshot)
-
--------------------------------------------------------------------
-Wed Jun 29 09:25:41 UTC 2016 - astieger@suse.com
-
-- Mozilla Firefox 47.0.1:
- * Selenium WebDriver may cause Firefox to crash at startup
- (bmo#1280854)
-
--------------------------------------------------------------------
-Wed Jun 15 07:52:18 UTC 2016 - wr@rosenauer.org
-
-- mozilla-binutils-visibility.patch to fix build issues with
- gcc/binutils combination used in Leap 42.2 (boo#984637)
-
--------------------------------------------------------------------
-Tue Jun 14 08:35:03 UTC 2016 - badshah400@gmail.com
-
-- Update mozilla-gtk3_20.patch to latest version from Fedora.
-
--------------------------------------------------------------------
-Mon Jun 13 20:28:01 UTC 2016 - agraf@suse.com
-
-- Fix running on 48bit va aarch64 (bsc#984126)
- * add patch mozilla-aarch64-48bit-va.patch
-
--------------------------------------------------------------------
-Mon Jun 13 15:27:13 UTC 2016 - wr@rosenauer.org
-
-- fix XUL dialog button order under KDE session (boo#984403)
-
--------------------------------------------------------------------
-Tue Jun 7 19:47:25 UTC 2016 - wr@rosenauer.org
-
-- update to Firefox 47.0 (boo#983549)
- * Enable VP9 video codec for users with fast machines
- * Embedded YouTube videos now play with HTML5 video if Flash is
- not installed
- * View and search open tabs from your smartphone or another
- computer in a sidebar
- * Allow no-cache on back/forward navigations for https resources
- security fixes:
- * MFSA 2016-49/CVE-2016-2815/CVE-2016-2818
- (boo#983638)
- (bmo#1241896, bmo#1242798, bmo#1243466, bmo#1245743,
- bmo#1264300, bmo#1271037, bmo#1234147, bmo#1256493,
- bmo#1256739, bmo#1256968, bmo#1261230, bmo#1261752,
- bmo#1263384, bmo#1264575, bmo#1265577, bmo#1267130,
- bmo#1269729, bmo#1273202, bmo#1273701)
- Miscellaneous memory safety hazards (rv:47.0 / rv:45.2)
- * MFSA 2016-50/CVE-2016-2819 (boo#983655) (bmo#1270381)
- Buffer overflow parsing HTML5 fragments
- * MFSA 2016-51/CVE-2016-2821 (bsc#983653) (bmo#1271460)
- Use-after-free deleting tables from a contenteditable document
- * MFSA 2016-52/CVE-2016-2822 (boo#983652) (bmo#1273129)
- Addressbar spoofing though the SELECT element
- * MFSA 2016-53/CVE-2016-2824 (boo#983651) (bmo#1248580)
- Out-of-bounds write with WebGL shader
- * MFSA 2016-54/CVE-2016-2825 (boo#983649) (bmo#1193093)
- Partial same-origin-policy through setting location.host
- through data URI
- * MFSA 2016-56/CVE-2016-2828 (boo#983646) (bmo#1223810)
- Use-after-free when textures are used in WebGL operations
- after recycle pool destruction
- * MFSA 2016-57/CVE-2016-2829 (boo#983644) (bmo#1248329)
- Incorrect icon displayed on permissions notifications
- * MFSA 2016-58/CVE-2016-2831 (boo#983643) (bmo#1261933)
- Entering fullscreen and persistent pointerlock without user
- permission
- * MFSA 2016-59/CVE-2016-2832 (boo#983632) (bmo#1025267)
- Information disclosure of disabled plugins through CSS
- pseudo-classes
- * MFSA 2016-60/CVE-2016-2833 (boo#983640) (bmo#908933)
- Java applets bypass CSP protections
- * MFSA 2016-62/CVE-2016-2834 (boo#983639) (bmo#1206283,
- bmo#1221620, bmo#1241034, bmo#1241037)
- Network Security Services (NSS) vulnerabilities
- fixed by requiring NSS 3.23
- packaging changes:
- * cleanup configure options (boo#981695):
- - notably remove GStreamer support which is gone from FF
- * remove obsolete patches
- - mozilla-libproxy.patch
- - mozilla-repo.patch
-
--------------------------------------------------------------------
-Wed May 25 16:36:23 UTC 2016 - badshah400@gmail.com
-
-- The conditional testing for gcc was failing for different
- openSUSE versions, drop it and apply patches unconditionally.
-
--------------------------------------------------------------------
-Mon May 23 15:30:27 UTC 2016 - badshah400@gmail.com
-
-- Add patches to fix building with gcc6:
- + mozilla-gcc6.patch: fix building with gcc >= 6.1; patch
- taken from upstream:
- https://hg.mozilla.org/mozilla-central/rev/55212130f19d.
- + mozilla-exclude-nametablecpp.patch: Exclude NameTable.cpp
- from unified compilation because #include <cmath> in other
- source files causes gcc6 compilation failure; patch taken from
- upstream:
- https://hg.mozilla.org/mozilla-central/rev/9c57b7cacffc.
-
--------------------------------------------------------------------
-Fri May 13 00:00:00 CEST 2016 - dsterba@suse.cz
-
-- enable build with PIE and full relro on x86_64 (boo#980384)
-
--------------------------------------------------------------------
-Wed May 4 10:27:43 UTC 2016 - wr@rosenauer.org
-
-- update to Firefox 46.0.1
- Fixed:
- * Search plugin issue for various locales
- * Add-on signing certificate expiration
- * Service worker update issue
- * Build issue when jit is disabled
- * Limit Sync registration updates
-- removed now obsolete mozilla-jit_branch64.patch
-
--------------------------------------------------------------------
-Tue May 3 15:47:18 UTC 2016 - normand@linux.vnet.ibm.com
-
-- add mozilla-jit_branch64.patch to avoid PowerPC build failure
- (from bmo#1266366)
-
--------------------------------------------------------------------
-Wed Apr 27 08:39:28 UTC 2016 - badshah400@gmail.com
-
-- Update mozilla-gtk3_20.patch for Firefox 46.0 (sync to latest
- version from Fedora).
-
--------------------------------------------------------------------
-Wed Apr 27 06:09:30 UTC 2016 - wr@rosenauer.org
-
-- update to Firefox 46.0 (boo#977333)
- * Improved security of the JavaScript Just In Time (JIT) Compiler
- * WebRTC fixes to improve performance and stability
- * Added support for document.elementsFromPoint
- * Added HKDF support for Web Crypto API
- * requires NSPR 4.12 and NSS 3.22.3
- * added patch to fix unchecked return value
- mozilla-check_return.patch
- * Gtk3 builds not supported at the moment
- security fixes:
- * MFSA 2016-39/CVE-2016-2804/CVE-2016-2806/CVE-2016-2807
- (boo#977373, boo#977375, boo#977376)
- Miscellaneous memory safety hazards
- * MFSA 2016-40/CVE-2016-2809 (bmo#1212939, boo#977377)
- Privilege escalation through file deletion by Maintenance Service updater
- (Windows only)
- * MFSA 2016-41/CVE-2016-2810 (bmo#1229681, boo#977378)
- Content provider permission bypass allows malicious application
- to access data (Android only)
- * MFSA 2016-42/CVE-2016-2811/CVE-2016-2812
- (bmo#1252330, bmo#1261776, boo#977379)
- Use-after-free and buffer overflow in Service Workers
- * MFSA 2016-43/CVE-2016-2813 (bmo#1197901, bmo#2714650, boo#977380)
- Disclosure of user actions through JavaScript with motion and
- orientation sensors (only affects mobile variants)
- * MFSA 2016-44/CVE-2016-2814 (bmo#1254721, boo#977381)
- Buffer overflow in libstagefright with CENC offsets
- * MFSA 2016-45/CVE-2016-2816 (bmo#1223743, boo#977382)
- CSP not applied to pages sent with multipart/x-mixed-replace
- * MFSA 2016-46/CVE-2016-2817 (bmo#1227462, boo#977384)
- Elevation of privilege with chrome.tabs.update API in web extensions
- * MFSA 2016-47/CVE-2016-2808 (bmo#1246061, boo#977386)
- Write to invalid HashMap entry through JavaScript.watch()
- * MFSA 2016-48/CVE-2016-2820 (bmo#870870, boo#977388)
- Firefox Health Reports could accept events from untrusted domains
-
--------------------------------------------------------------------
-Thu Apr 21 12:00:28 UTC 2016 - badshah400@gmail.com
-
-- Update mozilla-gtk3_20.patch to fix scrollbar appearance under
- gtk >= 3.20 (patch synced to Fedora's version).
-
--------------------------------------------------------------------
-Tue Apr 12 19:11:30 UTC 2016 - badshah400@gmail.com
-
-- Compile against gtk3 depending on whether the macro
- %firefox_use_gtk3 is defined or not (e.g., at the prjconf
- level); macro is undefined by default and so gtk2 is used as the
- default toolkit.
-- Add BuildRequires for additional packages needed when building
- against gtk3: pkgconfig(glib-2.0), pkgconfig(gobject-2.0),
- pkgconfig(gtk+-3.0) >= 3.4.0, pkgconfig(gtk+-unix-print-3.0).
-- Add firefox-gtk3_20.patch to fix appearance with gtk3 >= 3.20;
- patch taken from Fedora (bmo#1230955).
-
--------------------------------------------------------------------
-Mon Apr 11 22:49:24 UTC 2016 - astieger@suse.com
-
-- Mozilla Firefox 45.0.2:
- * Fix an issue impacting the cookie header when third-party
- cookies are blocked (bmo#1257861)
- * Fix a web compatibility regression impacting the srcset
- attribute of the image tag (bmo#1259482)
- * Fix a crash impacting the video playback with Media Source
- Extension (bmo#1258562)
- * Fix a regression impacting some specific uploads (bmo#1255735)
- * Fix a regression with the copy and paste with some old versions
- of some Gecko applications like Thunderbird (bmo#1254980)
-
--------------------------------------------------------------------
-Fri Mar 18 08:52:58 UTC 2016 - astieger@suse.com
-
-- Mozilla Firefox 45.0.1:
- * Fix a regression causing search engine settings to be lost in
- some context (bmo#1254694)
- * Bring back non-standard jar: URIs to fix a regression in IBM
- iNotes (bmo#1255139)
- * XSLTProcessor.importStylesheet was failing when <import> was
- used (bmo#1249572)
- * Fix an issue which could cause the list of search provider to
- be empty (bmo#1255605)
- * Fix a regression when using the location bar (bmo#1254503)
- * Fix some loading issues when Accept third-party cookies: was
- set to Never (bmo#1254856)
- * Disabled Graphite font shaping library
-
--------------------------------------------------------------------
-Sun Mar 6 19:52:13 UTC 2016 - wr@rosenauer.org
-
-- update to Firefox 45.0 (boo#969894)
- * requires NSPR 4.12 / NSS 3.21.1
- * Instant browser tab sharing through Hello
- * Synced Tabs button in button bar
- * Tabs synced via Firefox Accounts from other devices are now shown
- in dropdown area of Awesome Bar when searching
- * Introduce a new preference (network.dns.blockDotOnion) to allow
- blocking .onion at the DNS level
- * Tab Groups (Panorama) feature removed
- * MFSA 2016-16/CVE-2016-1952/CVE-2016-1953
- Miscellaneous memory safety hazards
- * MFSA 2016-17/CVE-2016-1954 (bmo#1243178)
- Local file overwriting and potential privilege escalation through
- CSP reports
- * MFSA 2016-18/CVE-2016-1955 (bmo#1208946)
- CSP reports fail to strip location information for embedded iframe pages
- * MFSA 2016-19/CVE-2016-1956 (bmo#1199923)
- Linux video memory DOS with Intel drivers
- * MFSA 2016-20/CVE-2016-1957 (bmo#1227052)
- Memory leak in libstagefright when deleting an array during MP4
- processing
- * MFSA 2016-21/CVE-2016-1958 (bmo#1228754)
- Displayed page address can be overridden
- * MFSA 2016-22/CVE-2016-1959 (bmo#1234949)
- Service Worker Manager out-of-bounds read in Service Worker Manager
- * MFSA 2016-23/CVE-2016-1960/ZDI-CAN-3545 (bmo#1246014)
- Use-after-free in HTML5 string parser
- * MFSA 2016-24/CVE-2016-1961/ZDI-CAN-3574 (bmo#1249377)
- Use-after-free in SetBody
- * MFSA 2016-25/CVE-2016-1962 (bmo#1240760)
- Use-after-free when using multiple WebRTC data channels
- * MFSA 2016-26/CVE-2016-1963 (bmo#1238440)
- Memory corruption when modifying a file being read by FileReader
- * MFSA 2016-27/CVE-2016-1964 (bmo#1243335)
- Use-after-free during XML transformations
- * MFSA 2016-28/CVE-2016-1965 (bmo#1245264)
- Addressbar spoofing though history navigation and Location protocol
- property
- * MFSA 2016-29/CVE-2016-1967 (bmo#1246956)
- Same-origin policy violation using perfomance.getEntries and
- history navigation with session restore
- * MFSA 2016-30/CVE-2016-1968 (bmo#1246742)
- Buffer overflow in Brotli decompression
- * MFSA 2016-31/CVE-2016-1966 (bmo#1246054)
- Memory corruption with malicious NPAPI plugin
- * MFSA 2016-32/CVE-2016-1970/CVE-2016-1971/CVE-2016-1975/
- CVE-2016-1976/CVE-2016-1972
- WebRTC and LibVPX vulnerabilities found through code inspection
- * MFSA 2016-33/CVE-2016-1973 (bmo#1219339)
- Use-after-free in GetStaticInstance in WebRTC
- * MFSA 2016-34/CVE-2016-1974 (bmo#1228103)
- Out-of-bounds read in HTML parser following a failed allocation
- * MFSA 2016-35/CVE-2016-1950 (bmo#1245528)
- Buffer overflow during ASN.1 decoding in NSS
- (fixed by requiring 3.21.1)
- * MFSA 2016-36/CVE-2016-1979 (bmo#1185033)
- Use-after-free during processing of DER encoded keys in NSS
- (fixed by requiring 3.21.1)
- * MFSA 2016-37/CVE-2016-1977/CVE-2016-2790/CVE-2016-2791/
- CVE-2016-2792/CVE-2016-2793/CVE-2016-2794/CVE-2016-2795/
- CVE-2016-2796/CVE-2016-2797/CVE-2016-2798/CVE-2016-2799/
- CVE-2016-2800/CVE-2016-2801/CVE-2016-2802
- Font vulnerabilities in the Graphite 2 library
-
--------------------------------------------------------------------
-Sat Mar 5 15:27:00 UTC 2016 - olaf@aepfle.de
-
-- Remove B_CNT from symbols.zip filename to reduce build-compare noise
-
--------------------------------------------------------------------
-Fri Feb 26 16:22:52 UTC 2016 - astieger@suse.com
-
-- fix build problems on i586, caused by too large unified compile
- units - adding mozilla-reduce-files-per-UnifiedBindings.patch
-
--------------------------------------------------------------------
-Thu Feb 11 07:51:34 UTC 2016 - wr@rosenauer.org
-
-- update to Firefox 44.0.2
- * MFSA 2016-13/CVE-2016-1949 (bmo#1245724, boo#966438)
- Same-origin-policy violation using Service Workers with plugins
- * Fix issue which could lead to the removal of stored passwords
- under certain circumstances (bmo#1242176)
- * Allows spaces in cookie names (bmo#1244505)
- * Disable opus/vorbis audio with H.264 (bmo#1245696)
- * Fix for graphics startup crash (GNU/Linux) (bmo#1222171)
- * Fix a crash in cache networking (bmo#1244076)
- * Fix using WebSockets in service worker controlled pages (bmo#1243942)
-
--------------------------------------------------------------------
-Sat Jan 30 08:28:17 UTC 2016 - dmueller@suse.com
-
-- build fixes for arm/aarch64:
- * disable webrtc for arm/aarch64
- * switch away from openGL-ES backend to default for arm/aarch64
- since it almost never builds
- * reenable neon
-- reenable webrtc for powerpc as it seems to build
-
--------------------------------------------------------------------
-Sun Jan 24 09:33:15 UTC 2016 - wr@rosenauer.org
-
-- update to Firefox 44.0
- * MFSA 2016-01/CVE-2016-1930/CVE-2016-1931 boo#963633
- Miscellaneous memory safety hazards
- * MFSA 2016-02/CVE-2016-1933 (bmo#1231761) boo#963634
- Out of Memory crash when parsing GIF format images
- * MFSA 2016-03/CVE-2016-1935 (bmo#1220450) boo#963635
- Buffer overflow in WebGL after out of memory allocation
- * MFSA 2016-04/CVE-2015-7208/CVE-2016-1939 (bmo#1191423, bmo#1233784) boo#963637
- Firefox allows for control characters to be set in cookie names
- * MFSA 2016-06/CVE-2016-1937 (bmo#724353) boo#963641
- Missing delay following user click events in protocol handler dialog
- * MFSA 2016-07/CVE-2016-1938 (bmo#1190248) boo#963731
- Errors in mp_div and mp_exptmod cryptographic functions in NSS
- (fixed by requiring NSS 3.21)
- * MFSA 2016-09/CVE-2016-1942/CVE-2016-1943 (bmo#1189082, bmo#1228590)
- Addressbar spoofing attacks boo#963643
- * MFSA 2016-10/CVE-2016-1944/CVE-2016-1945/CVE-2016-1946
- (bmo#1186621, bmo#1214782, bmo#1232096) boo#963644
- Unsafe memory manipulation found through code inspection
- * MFSA 2016-11/CVE-2016-1947 (bmo#1237103) boo#963645
- Application Reputation service disabled in Firefox 43
- * requires NSPR 4.11
- * requires NSS 3.21
-- prepare mozilla-kde.patch for Gtk3 builds
-- rebased patches
-
--------------------------------------------------------------------
-Mon Jan 11 08:04:24 UTC 2016 - astieger@suse.com
-
-- Mozilla Firefox 43.0.4:
- * Re-enable SHA-1 certificates to prevent outdated
- man-in-the-middle security devices from interfering with
- properly secured SSL/TLS connections (bmo#1236975)
- * Fix for startup crash for users of a third party antivirus tool
- (bmo#1235537)
-- The following change was previously in the package as a patch:
- * Multi-user GNU/Linux download folders can be created
- (bmo#1233434), removed mozilla-bmo1233434.patch
-
--------------------------------------------------------------------
-Tue Dec 29 20:29:35 UTC 2015 - wr@rosenauer.org
-
-- update to Firefox 43.0.3
- * requires NSS 3.20.2 to fix
- MFSA 2015-150/CVE-2015-7575 (bmo#1158489)
- MD5 signatures accepted within TLS 1.2 ServerKeyExchange in
- server signature
- * various changes to support Windows update (SHA-1 vs. SHA-2)
- * workaround Youtube user agent detection issue (bmo#1233970)
-- fix file download regression for multi user systems
- (bmo#1233434) (mozilla-bmo1233434.patch)
-- explicitely requires libXcomposite-devel
-
--------------------------------------------------------------------
-Sun Dec 13 23:07:56 UTC 2015 - wr@rosenauer.org
-
-- update to Firefox 43.0 (bnc#959277)
- * Improved API support for m4v video playback
- * Users can opt-in to receive search suggestions from the Awesome Bar
- * WebRTC streaming on multiple monitors
- * User selectable second block list for Private Browsing's Tracking
- Protection
- security fixes:
- * MFSA 2015-134/CVE-2015-7201/CVE-2015-7202
- Miscellaneous memory safety hazards
- * MFSA 2015-135/CVE-2015-7204 (bmo#1216130)
- Crash with JavaScript variable assignment with unboxed objects
- * MFSA 2015-136/CVE-2015-7207 (bmo#1185256)
- Same-origin policy violation using perfomance.getEntries and
- history navigation
- * MFSA 2015-137/CVE-2015-7208 (bmo#1191423)
- Firefox allows for control characters to be set in cookies
- * MFSA 2015-138/CVE-2015-7210 (bmo#1218326)
- Use-after-free in WebRTC when datachannel is used after being
- destroyed
- * MFSA 2015-139/CVE-2015-7212 (bmo#1222809)
- Integer overflow allocating extremely large textures
- * MFSA 2015-140/CVE-2015-7215 (bmo#1160890)
- Cross-origin information leak through web workers error events
- * MFSA 2015-141/CVE-2015-7211 (bmo#1221444)
- Hash in data URI is incorrectly parsed
- * MFSA 2015-142/CVE-2015-7218/CVE-2015-7219 (bmo#1194818, bmo#1194820)
- DOS due to malformed frames in HTTP/2
- * MFSA 2015-143/CVE-2015-7216/CVE-2015-7217 (bmo#1197059, bmo#1203078)
- Linux file chooser crashes on malformed images due to flaws in
- Jasper library
- * MFSA 2015-144/CVE-2015-7203/CVE-2015-7220/CVE-2015-7221
- (bmo#1201183, bmo#1178033, bmo#1199400)
- Buffer overflows found through code inspection
- * MFSA 2015-145/CVE-2015-7205 (bmo#1220493)
- Underflow through code inspection
- * MFSA 2015-146/CVE-2015-7213 (bmo#1206211)
- Integer overflow in MP4 playback in 64-bit versions
- * MFSA 2015-147/CVE-2015-7222 (bmo#1216748)
- Integer underflow and buffer overflow processing MP4 metadata in
- libstagefright
- * MFSA 2015-148/CVE-2015-7223 (bmo#1226423)
- Privilege escalation vulnerabilities in WebExtension APIs
- * MFSA 2015-149/CVE-2015-7214 (bmo#1228950)
- Cross-site reading attack through data and view-source URIs
-- rebased patches
-
--------------------------------------------------------------------
-Sun Nov 15 19:52:20 UTC 2015 - wr@rosenauer.org
-
-- Add desktop menu action for private browsing window to desktop
- file (boo#954747)
-- remove obsolete patch mozilla-bmo1005535.patch completely from
- source package to avoid automatic check failures
-
--------------------------------------------------------------------
-Sat Oct 31 19:50:03 UTC 2015 - wr@rosenauer.org
-
-- update to Firefox 42.0 (bnc#952810)
- * Private Browsing with Tracking Protection blocks certain Web
- elements that could be used to record your behavior across sites
- * Control Center that contains site security and privacy controls
- * Login Manager improvements
- * WebRTC improvements
- * Indicator added to tabs that play audio with one-click muting
- * Media Source Extension for HTML5 video available for all sites
- security fixes:
- * MFSA 2015-116/CVE-2015-4513/CVE-2015-4514
- Miscellaneous memory safety hazards
- * MFSA 2015-117/CVE-2015-4515 (bmo#1046421)
- Information disclosure through NTLM authentication
- * MFSA 2015-118/CVE-2015-4518 (bmo#1182778, bmo#1136692)
- CSP bypass due to permissive Reader mode whitelist
- * MFSA 2015-119/CVE-2015-7185 (bmo#1149000) (Android only)
- Firefox for Android addressbar can be removed after fullscreen mode
- * MFSA 2015-120/CVE-2015-7186 (bmo#1193027) (Android only)
- Reading sensitive profile files through local HTML file on Android
- * MFSA 2015-121/CVE-2015-7187 (bmo#1195735)
- disabling scripts in Add-on SDK panels has no effect
- * MFSA 2015-122/CVE-2015-7188 (bmo#1199430)
- Trailing whitespace in IP address hostnames can bypass same-origin policy
- * MFSA 2015-123/CVE-2015-7189 (bmo#1205900)
- Buffer overflow during image interactions in canvas
- * MFSA 2015-124/CVE-2015-7190 (bmo#1208520) (Android only)
- Android intents can be used on Firefox for Android to open privileged files
- * MFSA 2015-125/CVE-2015-7191 (bmo#1208956) (Android only)
- XSS attack through intents on Firefox for Android
- * MFSA 2015-126/CVE-2015-7192 (bmo#1210023) (OS X only)
- Crash when accessing HTML tables with accessibility tools on OS X
- * MFSA 2015-127/CVE-2015-7193 (bmo#1210302)
- CORS preflight is bypassed when non-standard Content-Type headers
- are received
- * MFSA 2015-128/CVE-2015-7194 (bmo#1211262)
- Memory corruption in libjar through zip files
- * MFSA 2015-129/CVE-2015-7195 (bmo#1211871)
- Certain escaped characters in host of Location-header are being
- treated as non-escaped
- * MFSA 2015-130/CVE-2015-7196 (bmo#1140616)
- JavaScript garbage collection crash with Java applet
- * MFSA 2015-131/CVE-2015-7198/CVE-2015-7199/CVE-2015-7200
- (bmo#1188010, bmo#1204061, bmo#1204155)
- Vulnerabilities found through code inspection
- * MFSA 2015-132/CVE-2015-7197 (bmo#1204269)
- Mixed content WebSocket policy bypass through workers
- * MFSA 2015-133/CVE-2015-7181/CVE-2015-7182/CVE-2015-7183
- (bmo#1202868, bmo#1205157)
- NSS and NSPR memory corruption issues
- (fixed in mozilla-nspr and mozilla-nss packages)
-- requires NSPR >= 4.10.10 and NSS >= 3.19.4
-- removed obsolete patches
- * mozilla-arm-disable-edsp.patch
- * mozilla-icu-strncat.patch
- * mozilla-skia-be-le.patch
- * toolkit-download-folder.patch
-- fixed build with enable-libproxy (bmo#1220399)
- * mozilla-libproxy.patch
-
--------------------------------------------------------------------
-Thu Oct 15 08:25:54 UTC 2015 - wr@rosenauer.org
-
-- update to Firefox 41.0.2 (bnc#950686)
- * MFSA 2015-115/CVE-2015-7184 (bmo#1208339, bmo#1212669)
- Cross-origin restriction bypass using Fetch
-- added explicit appdata provides (bnc#949983)
-
--------------------------------------------------------------------
-Sun Oct 4 09:20:56 UTC 2015 - wr@rosenauer.org
-
-- do not build with --enable-stdcxx-compat
- (this starts to fail build on various toolchain combinations
- and is not required for openSUSE builds in general
-
--------------------------------------------------------------------
-Thu Oct 1 09:49:57 UTC 2015 - wr@rosenauer.org
-
-- update to Firefox 41.0.1
- * Fix a startup crash related to Yandex toolbar and Adblock Plus
- (bmo#1209124)
- * Fix potential hangs with Flash plugins (bmo#1185639)
- * Fix a regression in the bookmark creation (bmo#1206376)
- * Fix a startup crash with some Intel Media Accelerator 3150
- graphic cards (bmo#1207665)
- * Fix a graphic crash, occurring occasionally on Facebook (bmo#1178601)
-
--------------------------------------------------------------------
-Sat Sep 19 20:23:29 UTC 2015 - wr@rosenauer.org
-
-- update to Firefox 41.0 (bnc#947003)
- * MFSA 2015-96/CVE-2015-4500/CVE-2015-4501
- Miscellaneous memory safety hazards
- * MFSA 2015-97/CVE-2015-4503 (bmo#994337)
- Memory leak in mozTCPSocket to servers
- * MFSA 2015-98/CVE-2015-4504 (bmo#1132467)
- Out of bounds read in QCMS library with ICC V4 profile attributes
- * MFSA 2015-99/CVE-2015-4476 (bmo#1162372) (Android only)
- Site attribute spoofing on Android by pasting URL with unknown scheme
- * MFSA 2015-100/CVE-2015-4505 (bmo#1177861) (Windows only)
- Arbitrary file manipulation by local user through Mozilla updater
- * MFSA 2015-101/CVE-2015-4506 (bmo#1192226)
- Buffer overflow in libvpx while parsing vp9 format video
- * MFSA 2015-102/CVE-2015-4507 (bmo#1192401)
- Crash when using debugger with SavedStacks in JavaScript
- * MFSA 2015-103/CVE-2015-4508 (bmo#1195976)
- URL spoofing in reader mode
- * MFSA 2015-104/CVE-2015-4510 (bmo#1200004)
- Use-after-free with shared workers and IndexedDB
- * MFSA 2015-105/CVE-2015-4511 (bmo#1200148)
- Buffer overflow while decoding WebM video
- * MFSA 2015-106/CVE-2015-4509 (bmo#1198435)
- Use-after-free while manipulating HTML media content
- * MFSA 2015-107/CVE-2015-4512 (bmo#1170390)
- Out-of-bounds read during 2D canvas display on Linux 16-bit
- color depth systems
- * MFSA 2015-108/CVE-2015-4502 (bmo#1105045)
- Scripted proxies can access inner window
- * MFSA 2015-109/CVE-2015-4516 (bmo#904886)
- JavaScript immutable property enforcement can be bypassed
- * MFSA 2015-110/CVE-2015-4519 (bmo#1189814)
- Dragging and dropping images exposes final URL after redirects
- * MFSA 2015-111/CVE-2015-4520 (bmo#1200856, bmo#1200869)
- Errors in the handling of CORS preflight request headers
- * MFSA 2015-112/CVE-2015-4517/CVE-2015-4521/CVE-2015-4522/
- CVE-2015-7174/CVE-2015-7175/CVE-2015-7176/CVE-2015-7177/
- CVE-2015-7180
- Vulnerabilities found through code inspection
- * MFSA 2015-113/CVE-2015-7178/CVE-2015-7179 (bmo#1189860,
- bmo#1190526) (Windows only)
- Memory safety errors in libGLES in the ANGLE graphics library
- * MFSA 2015-114 (bmo#1167498, bmo#1153672) (Windows only)
- Information disclosure via the High Resolution Time API
-- rebased patches
-- removed obsolete patches
- * mozilla-arm64-libjpeg-turbo.patch
-
-------------------------------------------------------------------
-Thu Aug 27 06:03:51 UTC 2015 - wr@rosenauer.org
-
-- update to Firefox 40.0.3 (bnc#943550)
- * Disable the asynchronous plugin initialization (bmo#1198590)
- * Fix a segmentation fault in the GStreamer support (bmo#1145230)
- * Fix a regression with some Japanese fonts used in the <input>
- field (bmo#1194055)
- * On some sites, the selection in a select combox box using the
- mouse could be broken (bmo#1194733)
- security fixes
- * MFSA 2015-94/CVE-2015-4497 (bmo#1164766, bmo#1175278)
- Use-after-free when resizing canvas element during restyling
- * MFSA 2015-95/CVE-2015-4498 (bmo#1042699)
- Add-on notification bypass through data URLs
-
--------------------------------------------------------------------
-Fri Aug 7 07:49:49 UTC 2015 - wr@rosenauer.org
-
-- update to Firefox 40.0 (bnc#940806)
- * Added protection against unwanted software downloads
- * Suggested Tiles show sites of interest, based on categories
- from your recent browsing history
- * Hello allows adding a link to conversations to provide context
- on what the conversation will be about
- * New style for add-on manager based on the in-content
- preferences style
- * Improved scrolling, graphics, and video playback performance
- with off main thread compositing (GNU/Linux only)
- * Graphic blocklist mechanism improved: Firefox version ranges
- can be specified, limiting the number of devices blocked
- security fixes:
- * MFSA 2015-79/CVE-2015-4473/CVE-2015-4474
- Miscellaneous memory safety hazards
- * MFSA 2015-80/CVE-2015-4475 (bmo#1175396)
- Out-of-bounds read with malformed MP3 file
- * MFSA 2015-81/CVE-2015-4477 (bmo#1179484)
- Use-after-free in MediaStream playback
- * MFSA 2015-82/CVE-2015-4478 (bmo#1105914)
- Redefinition of non-configurable JavaScript object properties
- * MFSA 2015-83/CVE-2015-4479/CVE-2015-4480/CVE-2015-4493
- Overflow issues in libstagefright
- * MFSA 2015-84/CVE-2015-4481 (bmo1171518)
- Arbitrary file overwriting through Mozilla Maintenance Service
- with hard links (only affected Windows)
- * MFSA 2015-85/CVE-2015-4482 (bmo#1184500)
- Out-of-bounds write with Updater and malicious MAR file
- (does not affect openSUSE RPM packages which do not ship the
- updater)
- * MFSA 2015-86/CVE-2015-4483 (bmo#1148732)
- Feed protocol with POST bypasses mixed content protections
- * MFSA 2015-87/CVE-2015-4484 (bmo#1171540)
- Crash when using shared memory in JavaScript
- * MFSA 2015-88/CVE-2015-4491 (bmo#1184009)
- Heap overflow in gdk-pixbuf when scaling bitmap images
- * MFSA 2015-89/CVE-2015-4485/CVE-2015-4486 (bmo#1177948, bmo#1178148)
- Buffer overflows on Libvpx when decoding WebM video
- * MFSA 2015-90/CVE-2015-4487/CVE-2015-4488/CVE-2015-4489
- Vulnerabilities found through code inspection
- * MFSA 2015-91/CVE-2015-4490 (bmo#1086999)
- Mozilla Content Security Policy allows for asterisk wildcards
- in violation of CSP specification
- * MFSA 2015-92/CVE-2015-4492 (bmo#1185820)
- Use-after-free in XMLHttpRequest with shared workers
-- added mozilla-no-stdcxx-check.patch
-- removed obsolete patches
- * mozilla-add-glibcxx_use_cxx11_abi.patch
- * firefox-multilocale-chrome.patch
-- rebased patches
-- requires version 40 of the branding package
-- removed browser/searchplugins/ location as it's not valid anymore
-
--------------------------------------------------------------------
-Fri Aug 7 07:09:39 UTC 2015 - wr@rosenauer.org
-
-- security update to Firefox 39.0.3 (bnc#940918)
- * MFSA 2015-78/CVE-2015-4495 (bmo#1179262, bmo#1178058)
- Same origin violation and local file stealing via PDF reader
-
--------------------------------------------------------------------
-Wed Jul 1 06:43:02 UTC 2015 - wr@rosenauer.org
-
-- update to Firefox 39.0 (bnc#935979)
- * Share Hello URLs with social networks
- * Support for 'switch' role in ARIA 1.1 (web accessibility)
- * SafeBrowsing malware detection lookups enabled for downloads
- (Mac OS X and Linux)
- * Support for new Unicode 8.0 skin tone emoji
- * Removed support for insecure SSLv3 for network communications
- * Disable use of RC4 except for temporarily whitelisted hosts
- * NPAPI Plug-in performance improved via asynchronous initialization
- security fixes:
- * MFSA 2015-59/CVE-2015-2724/CVE-2015-2725/CVE-2015-2726
- Miscellaneous memory safety hazards
- * MFSA 2015-60/CVE-2015-2727 (bmo#1163422)
- Local files or privileged URLs in pages can be opened into new tabs
- * MFSA 2015-61/CVE-2015-2728 (bmo#1142210)
- Type confusion in Indexed Database Manager
- * MFSA 2015-62/CVE-2015-2729 (bmo#1122218)
- Out-of-bound read while computing an oscillator rendering range in Web Audio
- * MFSA 2015-63/CVE-2015-2731 (bmo#1149891)
- Use-after-free in Content Policy due to microtask execution error
- * MFSA 2015-64/CVE-2015-2730 (bmo#1125025)
- ECDSA signature validation fails to handle some signatures correctly
- (this fix is shipped by NSS 3.19.1 externally)
- * MFSA 2015-65/CVE-2015-2722/CVE-2015-2733 (bmo#1166924, bmo#1169867)
- Use-after-free in workers while using XMLHttpRequest
- * MFSA 2015-66/CVE-2015-2734/CVE-2015-2735/CVE-2015-2736/CVE-2015-2737
- CVE-2015-2738/CVE-2015-2739/CVE-2015-2740
- Vulnerabilities found through code inspection
- * MFSA 2015-67/CVE-2015-2741 (bmo#1147497)
- Key pinning is ignored when overridable errors are encountered
- * MFSA 2015-68/CVE-2015-2742 (bmo#1138669)
- OS X crash reports may contain entered key press information
- (not relevant under Linux)
- * MFSA 2015-69/CVE-2015-2743 (bmo#1163109)
- Privilege escalation in PDF.js
- * MFSA 2015-70/CVE-2015-4000 (bmo#1138554)
- NSS accepts export-length DHE keys with regular DHE cipher suites
- (this fix is shipped by NSS 3.19.1 externally)
- * MFSA 2015-71/CVE-2015-2721 (bmo#1086145)
- NSS incorrectly permits skipping of ServerKeyExchange
- (this fix is shipped by NSS 3.19.1 externally)
-- dropped mozilla-prefer_plugin_pref.patch as this feature is
- likely not worth maintaining further
-- rebased patches
-- require NSS 3.19.2
-
--------------------------------------------------------------------
-Thu Jun 18 10:30:18 UTC 2015 - schwab@suse.de
-
-- mozilla-arm64-libjpeg-turbo.patch: fix libjpeg-turbo configuration
-
--------------------------------------------------------------------
-Sun Jun 7 07:09:12 UTC 2015 - wr@rosenauer.org
-
-- update to Firefox 38.0.6
- * fixes bmo#1171730 which is not really relevant to oS builds
-- fix KDE regression from 38.0.5 builds (bsc#933439)
-
--------------------------------------------------------------------
-Sat May 23 21:13:49 UTC 2015 - wr@rosenauer.org
-
-- update to Firefox 38.0.5
- * Keep track of articles and videos with Pocket
- * Clean formatting for articles and blog posts with Reader View
- * Share the active tab or window in a Hello conversation
-- add changes file as source for SRPM (bsc#932142)
-
--------------------------------------------------------------------
-Fri May 15 10:40:19 UTC 2015 - normand@linux.vnet.ibm.com
-
-- add mozilla-add-glibcxx_use_cxx11_abi.patch grabbed from
- https://bugzilla.mozilla.org/show_bug.cgi?id=1153109
-
--------------------------------------------------------------------
-Fri May 15 07:37:46 UTC 2015 - wr@rosenauer.org
-
-- update to Firefox 38.0.1
- stability and regression fixes
- * Systems with first generation NVidia Optimus graphics cards
- may crash on start-up
- * Users who import cookies from Google Chrome can end up with
- broken websites
- * Large animated images may fail to play and may stop other
- images from loading
-
--------------------------------------------------------------------
-Sun May 10 07:07:49 UTC 2015 - wr@rosenauer.org
-
-- update to Firefox 38.0 (bnc#930622)
- * New tab-based preferences
- * Ruby annotation support
- * more info: https://www.mozilla.org/en-US/firefox/38.0/releasenotes/
- security fixes:
- * MFSA 2015-46/CVE-2015-2708/CVE-2015-2709
- Miscellaneous memory safety hazards
- * MFSA 2015-47/VE-2015-0797 (bmo#1080995)
- Buffer overflow parsing H.264 video with Linux Gstreamer
- * MFSA 2015-48/CVE-2015-2710 (bmo#1149542)
- Buffer overflow with SVG content and CSS
- * MFSA 2015-49/CVE-2015-2711 (bmo#1113431)
- Referrer policy ignored when links opened by middle-click and
- context menu
- * MFSA 2015-50/CVE-2015-2712 (bmo#1152280)
- Out-of-bounds read and write in asm.js validation
- * MFSA 2015-51/CVE-2015-2713 (bmo#1153478)
- Use-after-free during text processing with vertical text enabled
- * MFSA 2015-53/CVE-2015-2715 (bmo#988698)
- Use-after-free due to Media Decoder Thread creation during shutdown
- * MFSA 2015-54/CVE-2015-2716 (bmo#1140537)
- Buffer overflow when parsing compressed XML
- * MFSA 2015-55/CVE-2015-2717 (bmo#1154683)
- Buffer overflow and out-of-bounds read while parsing MP4 video
- metadata
- * MFSA 2015-56/CVE-2015-2718 (bmo#1146724)
- Untrusted site hosting trusted page can intercept webchannel
- responses
- * MFSA 2015-57/CVE-2011-3079 (bmo#1087565)
- Privilege escalation through IPC channel messages
-- requires NSS 3.18.1
-- removed obsolete patches:
- * mozilla-skia-bmo1136958.patch
-- remove gnomevfs build options as it is removed from sources
-- rebased patches
-
--------------------------------------------------------------------
-Fri Apr 17 16:39:20 UTC 2015 - wr@rosenauer.org
-
-- update to Firefox 37.0.2 (bnc#928116)
- * MFSA 2015-45/CVE-2015-2706 (bmo#1141081)
- Memory corruption during failed plugin initialization
-
--------------------------------------------------------------------
-Fri Apr 3 08:27:24 UTC 2015 - wr@rosenauer.org
-
-- update to Firefox 37.0.1 (bnc#926166)
- * MFSA 2015-43/CVE-2015-0798 (bmo#1147597) (Android only)
- Loading privileged content through Reader mode
- * MFSA 2015-44/CVE-2015-0799 (bmo#1148328)
- Certificate verification bypass through the HTTP/2 Alt-Svc header
-
--------------------------------------------------------------------
-Sat Mar 28 09:46:48 UTC 2015 - wr@rosenauer.org
-
-- update to Firefox 37.0 (bnc#925368)
- * Heartbeat user rating system
- * Yandex set as default search provider for the Turkish locale
- * Bing search now uses HTTPS for secure searching
- * Improved protection against site impersonation via OneCRL
- centralized certificate revocation
- * Opportunistically encrypt HTTP traffic where the server supports
- HTTP/2 AltSvc
- * some more behaviour changes for TLS
- security fixes:
- * MFSA 2015-30/CVE-2015-0814/CVE-2015-0815
- Miscellaneous memory safety hazards
- * MFSA 2015-31/CVE-2015-0813 (bmo#1106596))
- Use-after-free when using the Fluendo MP3 GStreamer plugin
- * MFSA 2015-32/CVE-2015-0812 (bmo#1128126)
- Add-on lightweight theme installation approval bypassed through
- MITM attack
- * MFSA 2015-33/CVE-2015-0816 (bmo#1144991)
- resource:// documents can load privileged pages
- * MFSA-2015-34/CVE-2015-0811 (bmo#1132468)
- Out of bounds read in QCMS library
- * MFSA-2015-35/CVE-2015-0810 (bmo#1125013)
- Cursor clickjacking with flash and images (OS X only)
- * MFSA-2015-36/CVE-2015-0808 (bmo#1109552)
- Incorrect memory management for simple-type arrays in WebRTC
- * MFSA-2015-37/CVE-2015-0807 (bmo#1111834)
- CORS requests should not follow 30x redirections after preflight
- * MFSA-2015-38/CVE-2015-0805/CVE-2015-0806 (bmo#1135511, bmo#1099437)
- Memory corruption crashes in Off Main Thread Compositing
- * MFSA-2015-39/CVE-2015-0803/CVE-2015-0804 (bmo#1134560)
- Use-after-free due to type confusion flaws
- * MFSA-2015-40/CVE-2015-0801 (bmo#1146339)
- Same-origin bypass through anchor navigation
- * MFSA-2015-41/CVE-2015-0800/CVE-2012-2808
- PRNG weakness allows for DNS poisoning on Android (only)
- * MFSA-2015-42/CVE-2015-0802 (bmo#1124898)
- Windows can retain access to privileged content on navigation
- to unprivileged pages
-- removed obsolete patches
- * mozilla-bmo1088588.patch
- * mozilla-bmo1108834.patch
-- requires NSPR 4.10.8
-
--------------------------------------------------------------------
-Tue Mar 24 15:35:24 UTC 2015 - dvaleev@suse.com
-
-- Fix builds with skia on Power
- mozilla-skia-be-le.patch (patch from #bmo1136958)
- mozilla-bmo1108834.patch
- mozilla-bmo1005535.patch
-
--------------------------------------------------------------------
-Sat Mar 21 09:03:12 UTC 2015 - wr@rosenauer.org
-
-- update to Firefox 36.0.4 (bnc#923534)
- * MFSA 2015-28/CVE-2015-0818 (bmo#1144988)
- Privilege escalation through SVG navigation
- * MFSA 2015-29/CVE-2015-0817 (bmo#1145255)
- Code execution through incorrect JavaScript bounds checking
- elimination
-
--------------------------------------------------------------------
-Fri Mar 20 15:02:33 UTC 2015 - dimstar@opensuse.org
-
-- Copy the icons to /usr/share/icons instead of symlinking them:
- in preparation for containerized apps (e.g. xdg-app) as well as
- AppStream metadata extraction, there are a couple locations that
- need to be real files for system integration (.desktop files,
- icons, mime-type info).
-
--------------------------------------------------------------------
-Sat Mar 7 07:40:56 UTC 2015 - wr@rosenauer.org
-
-- update to Firefox 36.0.1
- Bugfixes:
- * Disable the usage of the ANY DNS query type (bmo#1093983)
- * Hello may become inactive until restart (bmo#1137469)
- * Print preferences may not be preserved (bmo#1136855)
- * Hello contact tabs may not be visible (bmo#1137141)
- * Accept hostnames that include an underscore character ("_")
- (bmo#1136616)
- * WebGL may use significant memory with Canvas2d (bmo#1137251)
- * Option -remote has been restored (bmo#1080319)
-- added mozilla-skia-bmo1136958.patch to fix build issues for
- ARM and PPC
-
--------------------------------------------------------------------
-Fri Feb 20 22:53:39 UTC 2015 - wr@rosenauer.org
-
-- update to Firefox 36.0 (bnc#917597)
- * mozilla-xremote-client was removed
- * added libclearkey.so media plugin
- * Pinned tiles on the new tab page can be synced
- * Support for the full HTTP/2 protocol. HTTP/2 enables a faster,
- more scalable, and more responsive web.
- * Locale added: Uzbek (uz)
- security fixes:
- * MFSA 2015-11/CVE-2015-0835/CVE-2015-0836
- Miscellaneous memory safety hazards
- * MFSA 2015-12/CVE-2015-0833 (bmo#945192)
- Invoking Mozilla updater will load locally stored DLL files
- (Windows only)
- * MFSA 2015-13/CVE-2015-0832 (bmo#1065909)
- Appended period to hostnames can bypass HPKP and HSTS protections
- * MFSA 2015-14/CVE-2015-0830 (bmo#1110488)
- Malicious WebGL content crash when writing strings
- * MFSA 2015-15/CVE-2015-0834 (bmo#1098314)
- TLS TURN and STUN connections silently fail to simple TCP connections
- * MFSA 2015-16/CVE-2015-0831 (bmo#1130514)
- Use-after-free in IndexedDB
- * MFSA 2015-17/CVE-2015-0829 (bmo#1128939)
- Buffer overflow in libstagefright during MP4 video playback
- * MFSA 2015-18/CVE-2015-0828 (bmo#1030667, bmo#988675)
- Double-free when using non-default memory allocators with a
- zero-length XHR
- * MFSA 2015-19/CVE-2015-0827 (bmo#1117304)
- Out-of-bounds read and write while rendering SVG content
- * MFSA 2015-20/CVE-2015-0826 (bmo#1092363)
- Buffer overflow during CSS restyling
- * MFSA 2015-21/CVE-2015-0825 (bmo#1092370)
- Buffer underflow during MP3 playback
- * MFSA 2015-22/CVE-2015-0824 (bmo#1095925)
- Crash using DrawTarget in Cairo graphics library
- * MFSA 2015-23/CVE-2015-0823 (bmo#1098497)
- Use-after-free in Developer Console date with OpenType Sanitiser
- * MFSA 2015-24/CVE-2015-0822 (bmo#1110557)
- Reading of local files through manipulation of form autocomplete
- * MFSA 2015-25/CVE-2015-0821 (bmo#1111960)
- Local files or privileged URLs in pages can be opened into new tabs
- * MFSA 2015-26/CVE-2015-0819 (bmo#1079554)
- UI Tour whitelisted sites in background tab can spoof foreground
- tabs
- * MFSA 2015-27CVE-2015-0820 (bmo#1125398)
- Caja Compiler JavaScript sandbox bypass
-- rebased patches
-- requires NSS 3.17.4
-
--------------------------------------------------------------------
-Sat Jan 31 18:37:38 UTC 2015 - wr@rosenauer.org
-
-- update to Firefox 35.0.1
- * With the Enhanced Steam extension, Firefox could crash (bmo#1123732)
- * Kerberos authentication did not work with alias (bmo#1108971)
- * SVG / CSS animation had a regression causing rendering issues on
- websites like openstreemap.org (bmo#1083079)
- * On Godaddy webmail, Firefox could crash (bmo#1113121)
- * document.baseURI did not get updated to document.location after
- base tag was removed from DOM for site with a CSP (bmo#1121857)
- * With a Right-to-left (RTL) version of Firefox, the text selection
- could be broken (bmo#1104036)
- * CSP had a change in behavior with regard to case sensitivity
- resources loading (bmo#1122445)
-
--------------------------------------------------------------------
-Sat Jan 10 18:36:37 UTC 2015 - wr@rosenauer.org
-
-- update to Firefox 35.0 (bnc#910669)
- notable features:
- * Firefox Hello with new rooms-based conversations model
- * Implemented HTTP Public Key Pinning Extension (for enhanced
- authentication of encrypted connections)
- security fixes:
- * MFSA 2015-01/CVE-2014-8634/CVE-2014-8635
- Miscellaneous memory safety hazards
- * MFSA 2015-02/CVE-2014-8637 (bmo#1094536)
- Uninitialized memory use during bitmap rendering
- * MFSA 2015-03/CVE-2014-8638 (bmo#1080987)
- sendBeacon requests lack an Origin header
- * MFSA 2015-04/CVE-2014-8639 (bmo#1095859)
- Cookie injection through Proxy Authenticate responses
- * MFSA 2015-05/CVE-2014-8640 (bmo#1100409)
- Read of uninitialized memory in Web Audio
- * MFSA 2015-06/CVE-2014-8641 (bmo#1108455)
- Read-after-free in WebRTC
- * MFSA 2015-07/CVE-2014-8643 (bmo#1114170) (Windows-only)
- Gecko Media Plugin sandbox escape
- * MFSA 2015-08/CVE-2014-8642 (bmo#1079658)
- Delegated OCSP responder certificates failure with
- id-pkix-ocsp-nocheck extension
- * MFSA 2015-09/CVE-2014-8636 (bmo#987794)
- XrayWrapper bypass through DOM objects
-- rebased patches
-- dropped explicit support for everything older than 12.3
- (including SLES11)
- * merge firefox-kde.patch and firefox-kde-114.patch
- * dropped mozilla-sle11.patch
-- reworked specfile to build conditionally based on release channel
- either Firefox or Firefox Developer Edition
-- added mozilla-openaes-decl.patch to fix implicit declarations
-- obsolete tracker-miner-firefox < 0.15 because it leads to startup
- crashes (bnc#908892)
-
--------------------------------------------------------------------
-Sat Dec 13 22:13:00 UTC 2014 - Led <ledest@gmail.com>
-
-- fix bashism in mozilla.sh script
-
--------------------------------------------------------------------
-Sat Nov 29 21:23:03 UTC 2014 - wr@rosenauer.org
-
-- update to Firefox 34.0.5 (bnc#908009)
- * Default search engine changed to Yahoo! for North America
- * Default search engine changed to Yandex for Belarusian, Kazakh,
- and Russian locales
- * Improved search bar (en-US only)
- * Firefox Hello real-time communication client
- * Easily switch themes/personas directly in the Customizing mode
- * Implementation of HTTP/2 (draft14) and ALPN
- * Disabled SSLv3
- * MFSA 2014-83/CVE-2014-1587/CVE-2014-1588
- Miscellaneous memory safety hazards
- * MFSA 2014-84/CVE-2014-1589 (bmo#1043787)
- XBL bindings accessible via improper CSS declarations
- * MFSA 2014-85/CVE-2014-1590 (bmo#1087633)
- XMLHttpRequest crashes with some input streams
- * MFSA 2014-86/CVE-2014-1591 (bmo#1069762)
- CSP leaks redirect data via violation reports
- * MFSA 2014-87/CVE-2014-1592 (bmo#1088635)
- Use-after-free during HTML5 parsing
- * MFSA 2014-88/CVE-2014-1593 (bmo#1085175)
- Buffer overflow while parsing media content
- * MFSA 2014-89/CVE-2014-1594 (bmo#1074280)
- Bad casting from the BasicThebesLayer to BasicContainerLayer
-- rebased patches
-- limit linker memory usage for %ix86
-- rebased patches
-
--------------------------------------------------------------------
-Fri Nov 7 20:14:32 UTC 2014 - wr@rosenauer.org
-
-- update to Firefox 33.1
- * Adding DuckDuckGo as a search option (upstream)
- * Forget Button added
- * Enhanced Tiles
- * Privacy tour introduced
-- fix typo in GStreamer Recommends
-
--------------------------------------------------------------------
-Tue Nov 4 18:00:35 UTC 2014 - guillaume@opensuse.org
-
-- Disable elf-hack for aarch64
-- Enable EGL for aarch64
-- Limit RAM usage during link for %arm
-- Fix _constraints for ARM
-
--------------------------------------------------------------------
-Mon Nov 3 11:36:04 UTC 2014 - dmueller@suse.com
-
-- use proper macros for ARM
-
--------------------------------------------------------------------
-Mon Nov 3 11:26:23 UTC 2014 - josua.mayer97@gmail.com
-
-- use '--disable-optimize' not only on 32-bit x86, but on 32-bit arm too
- to fix compiling.
-- pass '-Wl,--no-keep-memory' to linker to reduce required memory during
- linking on arm.
-
--------------------------------------------------------------------
-Thu Oct 30 11:31:05 UTC 2014 - wr@rosenauer.org
-
-- update to Firefox 33.0.2
- * Fix a startup crash with some combination of hardware and drivers
- 33.0.1
- * Firefox displays a black screen at start-up with certain
- graphics drivers
-- adjusted _constraints for ARM
-
--------------------------------------------------------------------
-Tue Oct 28 15:23:09 UTC 2014 - josua.mayer97@gmail.com
-
-- added mozilla-bmo1088588.patch to fix build with EGL (bmo#1088588)
-
--------------------------------------------------------------------
-Sat Oct 25 08:45:43 UTC 2014 - wr@rosenauer.org
-
-- define /usr/share/myspell as additional dictionary location
- and remove add-plugins.sh finally (bnc#900639)
-
--------------------------------------------------------------------
-Sun Oct 19 12:59:28 UTC 2014 - vindex17@outlook.it
-
-- use Firefox default optimization flags instead of -Os
-- specfile cleanup
-
--------------------------------------------------------------------
-Wed Oct 15 08:05:33 UTC 2014 - wr@rosenauer.org
-
-- fix build for all ppc by not enabling elf-hack
- (bnc#901213)
-
--------------------------------------------------------------------
-Sat Oct 11 08:48:24 UTC 2014 - wr@rosenauer.org
-
-- update to Firefox 33.0 (bnc#900941)
- New features:
- * OpenH264 support (sandboxed)
- * Enhanced Tiles
- * Improved search experience through the location bar
- * Slimmer and faster JavaScript strings
- * New CSP (Content Security Policy) backend
- * Support for connecting to HTTP proxy over HTTPS
- * Improved reliability of the session restoration
- * Proprietary window.crypto properties/functions removed
- Security:
- * MFSA 2014-74/CVE-2014-1574/CVE-2014-1575
- Miscellaneous memory safety hazards
- * MFSA 2014-75/CVE-2014-1576 (bmo#1041512)
- Buffer overflow during CSS manipulation
- * MFSA 2014-76/CVE-2014-1577 (bmo#1012609)
- Web Audio memory corruption issues with custom waveforms
- * MFSA 2014-77/CVE-2014-1578 (bmo#1063327)
- Out-of-bounds write with WebM video
- * MFSA 2014-78/CVE-2014-1580 (bmo#1063733)
- Further uninitialized memory use during GIF rendering
- * MFSA 2014-79/CVE-2014-1581 (bmo#1068218)
- Use-after-free interacting with text directionality
- * MFSA 2014-80/CVE-2014-1582/CVE-2014-1584 (bmo#1049095, bmo#1066190)
- Key pinning bypasses
- * MFSA 2014-81/CVE-2014-1585/CVE-2014-1586 (bmo#1062876, bmo#1062981)
- Inconsistent video sharing within iframe
- * MFSA 2014-82/CVE-2014-1583 (bmo#1015540)
- Accessing cross-origin objects via the Alarms API
- (only relevant for installed web apps)
-- requires NSPR 4.10.7
-- requires NSS 3.17.1
-- removed obsolete patches:
- * mozilla-ppc.patch
- * mozilla-libproxy-compat.patch
-- added basic appdata information
-
--------------------------------------------------------------------
-Sat Sep 20 13:33:51 UTC 2014 - wr@rosenauer.org
-
-- update to Firefox 32.0.2
- * just a version bump for our builds
- * fixed the in application update process for certain environments
- (in application update is not enabled in openSUSE and Linux
- is unaffected in any case)
-- build with --disable-optimize for 13.1 and above for i586 to
- workaround miscompilations (bnc#896624)
-- use some more build flags to align with upstream
-
--------------------------------------------------------------------
-Sat Sep 13 16:58:16 UTC 2014 - wr@rosenauer.org
-
-- update to Firefox 32.0.1
- * fixed stability issues for computers with multiple graphics cards
- * mixed content icon may be incorrectly displayed instead of lock
- icon for SSL sites in 32.0 (
- * WebRTC: setRemoteDescription() silently fails if no success
- callback is specified (bmo#1063971)
-
--------------------------------------------------------------------
-Sun Aug 31 07:44:54 UTC 2014 - wr@rosenauer.org
-
-- update to Firefox 32.0 (bnc#894370)
- * MFSA 2014-67/CVE-2014-1553/CVE-2014-1554/CVE-2014-1562
- Miscellaneous memory safety hazards
- * MFSA 2014-68/CVE-2014-1563 (bmo#1018524)
- Use-after-free during DOM interactions with SVG
- * MFSA 2014-69/CVE-2014-1564 (bmo#1045977)
- Uninitialized memory use during GIF rendering
- * MFSA 2014-70/CVE-2014-1565 (bmo#1047831)
- Out-of-bounds read in Web Audio audio timeline
- * MFSA 2014-72/CVE-2014-1567 (bmo#1037641)
- Use-after-free setting text directionality
-- rebased patches
-- requires NSS 3.16.4
-- removed upstreamed patch
- * mozilla-aarch64-bmo-810631.patch
-
--------------------------------------------------------------------
-Wed Aug 20 13:50:58 CEST 2014 - behlert@suse.de
-
-- adapted _constraints, used more than 3900MB on s390x during
- last build
-
--------------------------------------------------------------------
-Sun Jul 20 18:11:44 UTC 2014 - wr@rosenauer.org
-
-- update to Firefox 31.0 (bnc#887746)
- * MFSA 2014-56/CVE-2014-1547/CVE-2014-1548
- Miscellaneous memory safety hazards
- * MFSA 2014-57/CVE-2014-1549 (bmo#1020205)
- Buffer overflow during Web Audio buffering for playback
- * MFSA 2014-58/CVE-2014-1550 (bmo#1020411)
- Use-after-free in Web Audio due to incorrect control message ordering
- * MFSA 2014-60/CVE-2014-1561 (bmo#1000514, bmo#910375)
- Toolbar dialog customization event spoofing
- * MFSA 2014-61/CVE-2014-1555 (bmo#1023121)
- Use-after-free with FireOnStateChange event
- * MFSA 2014-62/CVE-2014-1556 (bmo#1028891)
- Exploitable WebGL crash with Cesium JavaScript library
- * MFSA 2014-63/CVE-2014-1544 (bmo#963150)
- Use-after-free while when manipulating certificates in the trusted cache
- (solved with NSS 3.16.2 requirement)
- * MFSA 2014-64/CVE-2014-1557 (bmo#913805)
- Crash in Skia library when scaling high quality images
- * MFSA 2014-65/CVE-2014-1558/CVE-2014-1559/CVE-2014-1560
- (bmo#1015973, bmo#1026022, bmo#997795)
- Certificate parsing broken by non-standard character encoding
- * MFSA 2014-66/CVE-2014-1552 (bmo#985135)
- IFRAME sandbox same-origin access through redirect
-- use EGL on ARM
-- rebased patches
-- requires NSS 3.16.2
-- requires python-devel (not only python)
-
--------------------------------------------------------------------
-Mon Jun 9 08:28:17 UTC 2014 - wr@rosenauer.org
-
-- update to Firefox 30.0 (bnc#881874)
- * MFSA 2014-48/CVE-2014-1533/CVE-2014-1534
- (bmo#921622, bmo#967354, bmo#969517, bmo#969549, bmo#973874,
- bmo#978652, bmo#978811, bmo#988719, bmo#990868, bmo#991981,
- bmo#992274, bmo#994907, bmo#995679, bmo#995816, bmo#995817,
- bmo#996536, bmo#996715, bmo#999651, bmo#1000598,
- bmo#1000960, bmo#1002340, bmo#1005578, bmo#1007223,
- bmo#1009952, bmo#1011007)
- Miscellaneous memory safety hazards (rv:30.0)
- * MFSA 2014-49/CVE-2014-1536/CVE-2014-1537/CVE-2014-1538
- (bmo#989994, bmo#999274, bmo#1005584)
- Use-after-free and out of bounds issues found using Address
- Sanitizer
- * MFSA 2014-50/CVE-2014-1539 (bmo#995603)
- Clickjacking through cursor invisability after Flash interaction
- * MFSA 2014-51/CVE-2014-1540 (bmo#978862)
- Use-after-free in Event Listener Manager
- * MFSA 2014-52/CVE-2014-1541 (bmo#1000185)
- Use-after-free with SMIL Animation Controller
- * MFSA 2014-53/CVE-2014-1542 (bmo#991533)
- Buffer overflow in Web Audio Speex resampler
- * MFSA 2014-54/CVE-2014-1543 (bmo#1011859)
- Buffer overflow in Gamepad API
- * MFSA 2014-55/CVE-2014-1545 (bmo#1018783)
- Out of bounds write in NSPR
-- rebased patches
-- removed obsolete patches
- * firefox-browser-css.patch
- * mozilla-aarch64-bmo-962488.patch
- * mozilla-aarch64-bmo-963023.patch
- * mozilla-aarch64-bmo-963024.patch
- * mozilla-aarch64-bmo-963027.patch
- * mozilla-ppc64-xpcom.patch
- * mozilla-ppc64le-javascript.patch
- * mozilla-ppc64le-libffi.patch
- * mozilla-ppc64le-mfbt.patch
- * mozilla-ppc64le-webrtc.patch
- * mozilla-ppc64le-xpcom.patch
- * mozilla-ppc64le-build.patch
-- requires NSPR 4.10.6
-- enabled GStreamer 1.0 usage for 13.2 and above
-
--------------------------------------------------------------------
-Sat May 10 06:09:37 UTC 2014 - wr@rosenauer.org
-
-- update to Firefox 29.0.1
- * Seer disabled by default (bmo#1005958)
- * Session Restore failed with a corrupted sessionstore.js file
- (bmo#1001167)
- * pdf.js printing white page (bmo#1003707, bnc#876833)
-- general.useragent.locale gets overwritten with en-US while it
- should be using the active langpack's setting
-
--------------------------------------------------------------------
-Sat Apr 26 12:18:07 UTC 2014 - wr@rosenauer.org
-
-- update to Firefox 29.0 (bnc#875378)
- * MFSA 2014-34/CVE-2014-1518/CVE-2014-1519
- Miscellaneous memory safety hazards
- * MFSA 2014-36/CVE-2014-1522 (bmo#995289)
- Web Audio memory corruption issues
- * MFSA 2014-37/CVE-2014-1523 (bmo#969226)
- Out of bounds read while decoding JPG images
- * MFSA 2014-38/CVE-2014-1524 (bmo#989183)
- Buffer overflow when using non-XBL object as XBL
- * MFSA 2014-39/CVE-2014-1525 (bmo#989210)
- Use-after-free in the Text Track Manager for HTML video
- * MFSA 2014-41/CVE-2014-1528 (bmo#963962)
- Out-of-bounds write in Cairo
- * MFSA 2014-42/CVE-2014-1529 (bmo#987003)
- Privilege escalation through Web Notification API
- * MFSA 2014-43/CVE-2014-1530 (bmo#895557)
- Cross-site scripting (XSS) using history navigations
- * MFSA 2014-44/CVE-2014-1531 (bmo#987140)
- Use-after-free in imgLoader while resizing images
- * MFSA 2014-45/CVE-2014-1492 (bmo#903885)
- Incorrect IDNA domain name matching for wildcard certificates
- (fixed by NSS 3.16)
- * MFSA 2014-46/CVE-2014-1532 (bmo#966006)
- Use-after-free in nsHostResolver
- * MFSA 2014-47/CVE-2014-1526 (bmo#988106)
- Debugger can bypass XrayWrappers with JavaScript
-- rebased patches
-- removed obsolete patches
- * firefox-browser-css.patch
- * mozilla-aarch64-599882cfb998.diff
- * mozilla-aarch64-bmo-963028.patch
- * mozilla-aarch64-bmo-963029.patch
- * mozilla-aarch64-bmo-963030.patch
- * mozilla-aarch64-bmo-963031.patch
-- requires NSS 3.16
-- added mozilla-icu-strncat.patch to fix post build checks
-
--------------------------------------------------------------------
-Mon Apr 7 15:34:31 UTC 2014 - dmueller@suse.com
-
-- add mozilla-aarch64-599882cfb998.patch,
- mozilla-aarch64-bmo-810631.patch,
- mozilla-aarch64-bmo-962488.patch,
- mozilla-aarch64-bmo-963030.patch,
- mozilla-aarch64-bmo-963027.patch,
- mozilla-aarch64-bmo-963028.patch,
- mozilla-aarch64-bmo-963029.patch,
- mozilla-aarch64-bmo-963023.patch,
- mozilla-aarch64-bmo-963024.patch,
- mozilla-aarch64-bmo-963031.patch: AArch64 porting
-
--------------------------------------------------------------------
-Mon Mar 24 16:18:44 UTC 2014 - dvaleev@suse.com
-
-- Add patch for bmo#973977
- * mozilla-ppc64-xpcom.patch
-
--------------------------------------------------------------------
-Mon Mar 24 14:29:12 UTC 2014 - dvaleev@suse.com
-
-- Refresh mozilla-ppc64le-xpcom.patch patch
-
--------------------------------------------------------------------
-Fri Mar 21 19:01:42 UTC 2014 - dvaleev@suse.com
-
-- Adapt mozilla-ppc64le-xpcom.patch to Mozilla > 24.0 build system
-
--------------------------------------------------------------------
-Sun Mar 16 13:39:15 UTC 2014 - wr@rosenauer.org
-
-- update to Firefox 28.0 (bnc#868603)
- * MFSA 2014-15/CVE-2014-1493/CVE-2014-1494
- Miscellaneous memory safety hazards
- * MFSA 2014-17/CVE-2014-1497 (bmo#966311)
- Out of bounds read during WAV file decoding
- * MFSA 2014-18/CVE-2014-1498 (bmo#935618)
- crypto.generateCRMFRequest does not validate type of key
- * MFSA 2014-19/CVE-2014-1499 (bmo#961512)
- Spoofing attack on WebRTC permission prompt
- * MFSA 2014-20/CVE-2014-1500 (bmo#956524)
- onbeforeunload and Javascript navigation DOS
- * MFSA 2014-22/CVE-2014-1502 (bmo#972622)
- WebGL content injection from one domain to rendering in another
- * MFSA 2014-23/CVE-2014-1504 (bmo#911547)
- Content Security Policy for data: documents not preserved by
- session restore
- * MFSA 2014-26/CVE-2014-1508 (bmo#963198)
- Information disclosure through polygon rendering in MathML
- * MFSA 2014-27/CVE-2014-1509 (bmo#966021)
- Memory corruption in Cairo during PDF font rendering
- * MFSA 2014-28/CVE-2014-1505 (bmo#941887)
- SVG filters information disclosure through feDisplacementMap
- * MFSA 2014-29/CVE-2014-1510/CVE-2014-1511 (bmo#982906, bmo#982909)
- Privilege escalation using WebIDL-implemented APIs
- * MFSA 2014-30/CVE-2014-1512 (bmo#982957)
- Use-after-free in TypeObject
- * MFSA 2014-31/CVE-2014-1513 (bmo#982974)
- Out-of-bounds read/write through neutering ArrayBuffer objects
- * MFSA 2014-32/CVE-2014-1514 (bmo#983344)
- Out-of-bounds write through TypedArrayObject after neutering
-- requires NSPR 4.10.3 and NSS 3.15.5
-- new build dependency (and recommends):
- * libpulse
-- update of PowerPC 64 patches (bmo#976648) (pcerny@suse.com)
-- rebased patches
-
--------------------------------------------------------------------
-Mon Feb 17 11:59:28 UTC 2014 - wr@rosenauer.org
-
-- update to Firefox 27.0.1
- * Fixed stability issues with Greasemonkey and other JS that used
- ClearTimeoutOrInterval
- * JS math correctness issue (bmo#941381)
-- incorporate Google API key for geolocation (bnc#864170)
-- updated list of "other" locales in RPM requirements
-
--------------------------------------------------------------------
-Tue Jan 28 15:45:41 UTC 2014 - wr@rosenauer.org
-
-- update to Firefox 27.0 (bnc#861847)
- * MFSA 2014-01/CVE-2014-1477/CVE-2014-1478
- Miscellaneous memory safety hazards (rv:27.0 / rv:24.3)
- * MFSA 2014-02/CVE-2014-1479 (bmo#911864)
- Clone protected content with XBL scopes
- * MFSA 2014-03/CVE-2014-1480 (bmo#916726)
- UI selection timeout missing on download prompts
- * MFSA 2014-04/CVE-2014-1482 (bmo#943803)
- Incorrect use of discarded images by RasterImage
- * MFSA 2014-05/CVE-2014-1483 (bmo#950427)
- Information disclosure with *FromPoint on iframes
- * MFSA 2014-06/CVE-2014-1484 (bmo#953993)
- Profile path leaks to Android system log
- * MFSA 2014-07/CVE-2014-1485 (bmo#910139)
- XSLT stylesheets treated as styles in Content Security Policy
- * MFSA 2014-08/CVE-2014-1486 (bmo#942164)
- Use-after-free with imgRequestProxy and image proccessing
- * MFSA 2014-09/CVE-2014-1487 (bmo#947592)
- Cross-origin information leak through web workers
- * MFSA 2014-10/CVE-2014-1489 (bmo#959531)
- Firefox default start page UI content invokable by script
- * MFSA 2014-11/CVE-2014-1488 (bmo#950604)
- Crash when using web workers with asm.js
- * MFSA 2014-12/CVE-2014-1490/CVE-2014-1491
- (bmo#934545, bmo#930874, bmo#930857)
- NSS ticket handling issues
- * MFSA 2014-13/CVE-2014-1481(bmo#936056)
- Inconsistent JavaScript handling of access to Window objects
-- requires NSS 3.15.4 or higher
-- rebased/reworked patches
-- removed obsolete mozilla-bug929439.patch
-
--------------------------------------------------------------------
-Thu Dec 12 21:19:54 UTC 2013 - uweigand@de.ibm.com
-
-- Add support for powerpc64le-linux.
- * mozilla-ppc64le.patch: general support
- * mozilla-libffi-ppc64le.patch: libffi backport
- * mozilla-xpcom-ppc64le.patch: port xpcom
-- Add build fix from mainline.
- * mozilla-bug929439.patch
-
--------------------------------------------------------------------
-Sun Dec 8 20:26:23 UTC 2013 - wr@rosenauer.org
-
-- update to Firefox 26.0 (bnc#854367, bnc#854370)
- * rebased patches
- * requires NSPR 4.10.2 and NSS 3.15.3.1
- * MFSA 2013-104/CVE-2013-5609/CVE-2013-5610
- Miscellaneous memory safety hazards
- * MFSA 2013-105/CVE-2013-5611 (bmo#771294)
- Application Installation doorhanger persists on navigation
- * MFSA 2013-106/CVE-2013-5612 (bmo#871161)
- Character encoding cross-origin XSS attack
- * MFSA 2013-107/CVE-2013-5614 (bmo#886262)
- Sandbox restrictions not applied to nested object elements
- * MFSA 2013-108/CVE-2013-5616 (bmo#938341)
- Use-after-free in event listeners
- * MFSA 2013-109/CVE-2013-5618 (bmo#926361)
- Use-after-free during Table Editing
- * MFSA 2013-110/CVE-2013-5619 (bmo#917841)
- Potential overflow in JavaScript binary search algorithms
- * MFSA 2013-111/CVE-2013-6671 (bmo#930281)
- Segmentation violation when replacing ordered list elements
- * MFSA 2013-112/CVE-2013-6672 (bmo#894736)
- Linux clipboard information disclosure though selection paste
- * MFSA 2013-113/CVE-2013-6673 (bmo#970380)
- Trust settings for built-in roots ignored during EV certificate
- validation
- * MFSA 2013-114/CVE-2013-5613 (bmo#930381, bmo#932449)
- Use-after-free in synthetic mouse movement
- * MFSA 2013-115/CVE-2013-5615 (bmo#929261)
- GetElementIC typed array stubs can be generated outside observed
- typesets
- * MFSA 2013-116/CVE-2013-6629/CVE-2013-6630 (bmo#891693)
- JPEG information leak
- * MFSA 2013-117 (bmo#946351)
- Mis-issued ANSSI/DCSSI certificate
- (fixed via NSS 3.15.3.1)
-- removed gecko.js preference file as GStreamer is enabled by
- default now
-
--------------------------------------------------------------------
-Thu Oct 24 18:16:19 UTC 2013 - wr@rosenauer.org
-
-- update to Firefox 25.0 (bnc#847708)
- * rebased patches
- * requires NSS 3.15.2 or above
- * MFSA 2013-93/CVE-2013-5590/CVE-2013-5591/CVE-2013-5592
- Miscellaneous memory safety hazards
- * MFSA 2013-94/CVE-2013-5593 (bmo#868327)
- Spoofing addressbar through SELECT element
- * MFSA 2013-95/CVE-2013-5604 (bmo#914017)
- Access violation with XSLT and uninitialized data
- * MFSA 2013-96/CVE-2013-5595 (bmo#916580)
- Improperly initialized memory and overflows in some JavaScript
- functions
- * MFSA 2013-97/CVE-2013-5596 (bmo#910881)
- Writing to cycle collected object during image decoding
- * MFSA 2013-98/CVE-2013-5597 (bmo#918864)
- Use-after-free when updating offline cache
- * MFSA 2013-99/CVE-2013-5598 (bmo#920515)
- Security bypass of PDF.js checks using iframes
- * MFSA 2013-100/CVE-2013-5599/CVE-2013-5600/CVE-2013-5601
- (bmo#915210, bmo#915576, bmo#916685)
- Miscellaneous use-after-free issues found through ASAN fuzzing
- * MFSA 2013-101/CVE-2013-5602 (bmo#897678)
- Memory corruption in workers
- * MFSA 2013-102/CVE-2013-5603 (bmo#916404)
- Use-after-free in HTML document templates
-
--------------------------------------------------------------------
-Tue Sep 24 07:31:30 UTC 2013 - wr@rosenauer.org
-
-- as GStreamer is not automatically required anymore but loaded
- dynamically if available, require it explicitely
-- recommend optional GStreamer plugins for comprehensive media
- support
-
--------------------------------------------------------------------
-Mon Sep 16 11:59:18 UTC 2013 - lnussel@suse.de
-
-- move greek to the translations-common package (bnc#840551)
-
--------------------------------------------------------------------
-Sat Sep 14 14:39:58 UTC 2013 - wr@rosenauer.org
-
-- update to Firefox 24.0 (bnc#840485)
- * MFSA 2013-76/CVE-2013-1718/CVE-2013-1719
- Miscellaneous memory safety hazards
- * MFSA 2013-77/CVE-2013-1720 (bmo#888820)
- Improper state in HTML5 Tree Builder with templates
- * MFSA 2013-78/CVE-2013-1721 (bmo#890277)
- Integer overflow in ANGLE library
- * MFSA 2013-79/CVE-2013-1722 (bmo#893308)
- Use-after-free in Animation Manager during stylesheet cloning
- * MFSA 2013-80/CVE-2013-1723 (bmo#891292)
- NativeKey continues handling key messages after widget is destroyed
- * MFSA 2013-81/CVE-2013-1724 (bmo#894137)
- Use-after-free with select element
- * MFSA 2013-82/CVE-2013-1725 (bmo#876762)
- Calling scope for new Javascript objects can lead to memory corruption
- * MFSA 2013-85/CVE-2013-1728 (bmo#883686)
- Uninitialized data in IonMonkey
- * MFSA 2013-88/CVE-2013-1730 (bmo#851353)
- Compartment mismatch re-attaching XBL-backed nodes
- * MFSA 2013-89/CVE-2013-1732 (bmo#883514)
- Buffer overflow with multi-column, lists, and floats
- * MFSA 2013-90/CVE-2013-1735/CVE-2013-1736 (bmo#898871, bmo#906301)
- Memory corruption involving scrolling
- * MFSA 2013-91/CVE-2013-1737 (bmo#907727)
- User-defined properties on DOM proxies get the wrong "this" object
- * MFSA 2013-92/CVE-2013-1738 (bmo#887334, bmo#882897)
- GC hazard with default compartments and frame chain restoration
-- enable gstreamer explicitely via pref (gecko.js)
-- require NSS 3.15.1
-
--------------------------------------------------------------------
-Mon Aug 26 07:35:36 UTC 2013 - wr@rosenauer.org
-
-- update to Firefox 23.0.1
- * Audio static/"burble"/breakup in Firefox to Firefox WebRTC calls
- (bmo#901527)
-
--------------------------------------------------------------------
-Sun Aug 4 18:30:11 UTC 2013 - wr@rosenauer.org
-
-- update to Firefox 23.0 (bnc#833389)
- * MFSA 2013-63/CVE-2013-1701/CVE-2013-1702
- Miscellaneous memory safety hazards
- * MFSA 2013-64/CVE-2013-1704 (bmo#883313)
- Use after free mutating DOM during SetBody
- * MFSA 2013-65/CVE-2013-1705 (bmo#882865)
- Buffer underflow when generating CRMF requests
- * MFSA 2013-67/CVE-2013-1708 (bmo#879924)
- Crash during WAV audio file decoding
- * MFSA 2013-68/CVE-2013-1709 (bmo#838253)
- Document URI misrepresentation and masquerading
- * MFSA 2013-69/CVE-2013-1710 (bmo#871368)
- CRMF requests allow for code execution and XSS attacks
- * MFSA 2013-70/CVE-2013-1711 (bmo#843829)
- Bypass of XrayWrappers using XBL Scopes
- * MFSA 2013-72/CVE-2013-1713 (bmo#887098)
- Wrong principal used for validating URI for some Javascript
- components
- * MFSA 2013-73/CVE-2013-1714 (bmo#879787)
- Same-origin bypass with web workers and XMLHttpRequest
- * MFSA 2013-75/CVE-2013-1717 (bmo#406541, bmo#738397)
- Local Java applets may read contents of local file system
-- requires NSPR 4.10 and NSS 3.15
-
--------------------------------------------------------------------
-Wed Jul 3 17:14:35 UTC 2013 - dmueller@suse.com
-
-- fix build on ARM (/-g/ matches /-grecord-switches/)
-
--------------------------------------------------------------------
-Sat Jun 22 17:48:06 UTC 2013 - wr@rosenauer.org
-
-- update to Firefox 22.0 (bnc#825935)
- * removed obsolete patches
- + mozilla-qcms-ppc.patch
- + mozilla-gstreamer-760140.patch
- * GStreamer support does not build on 12.1 anymore (build only
- on 12.2 and later)
- * MFSA 2013-49/CVE-2013-1682/CVE-2013-1683
- Miscellaneous memory safety hazards
- * MFSA 2013-50/CVE-2013-1684/CVE-2013-1685/CVE-2013-1686
- Memory corruption found using Address Sanitizer
- * MFSA 2013-51/CVE-2013-1687 (bmo#863933, bmo#866823)
- Privileged content access and execution via XBL
- * MFSA 2013-52/CVE-2013-1688 (bmo#873966)
- Arbitrary code execution within Profiler
- * MFSA 2013-53/CVE-2013-1690 (bmo#857883)
- Execution of unmapped memory through onreadystatechange event
- * MFSA 2013-54/CVE-2013-1692 (bmo#866915)
- Data in the body of XHR HEAD requests leads to CSRF attacks
- * MFSA 2013-55/CVE-2013-1693 (bmo#711043)
- SVG filters can lead to information disclosure
- * MFSA 2013-56/CVE-2013-1694 (bmo#848535)
- PreserveWrapper has inconsistent behavior
- * MFSA 2013-57/CVE-2013-1695 (bmo#849791)
- Sandbox restrictions not applied to nested frame elements
- * MFSA 2013-58/CVE-2013-1696 (bmo#761667)
- X-Frame-Options ignored when using server push with multi-part
- responses
- * MFSA 2013-59/CVE-2013-1697 (bmo#858101)
- XrayWrappers can be bypassed to run user defined methods in a
- privileged context
- * MFSA 2013-60/CVE-2013-1698 (bmo#876044)
- getUserMedia permission dialog incorrectly displays location
- * MFSA 2013-61/CVE-2013-1699 (bmo#840882)
- Homograph domain spoofing in .com, .net and .name
-
--------------------------------------------------------------------
-Tue Jun 11 21:06:58 UTC 2013 - dvaleev@suse.com
-
-- Fix qcms altivec include (mozilla-qcms-ppc.patch)
-
--------------------------------------------------------------------
-Fri May 10 05:25:39 UTC 2013 - wr@rosenauer.org
-
-- update to Firefox 21.0 (bnc#819204)
- * removed upstreamed patch firefox-712763.patch
- * removed disabled mozilla-disable-neon-option.patch
- * MFSA 2013-41/CVE-2013-0801/CVE-2013-1669
- Miscellaneous memory safety hazards
- * MFSA 2013-42/CVE-2013-1670 (bmo#853709)
- Privileged access for content level constructor
- * MFSA 2013-43/CVE-2013-1671 (bmo#842255)
- File input control has access to full path
- * MFSA 2013-46/CVE-2013-1674 (bmo#860971)
- Use-after-free with video and onresize event
- * MFSA 2013-47/CVE-2013-1675 (bmo#866825)
- Uninitialized functions in DOMSVGZoomEvent
- * MFSA 2013-48/CVE-2013-1676/CVE-2013-1677/CVE-2013-1678/
- CVE-2013-1679/CVE-2013-1680/CVE-2013-1681
- Memory corruption found using Address Sanitizer
-
--------------------------------------------------------------------
-Tue Apr 9 06:41:31 UTC 2013 - wr@rosenauer.org
-
-- revert to use GStreamer 0.10 on 12.3 (bnc#814101)
- (remove mozilla-gstreamer-1.patch)
-
--------------------------------------------------------------------
-Fri Apr 5 17:04:11 UTC 2013 - schwab@linux-m68k.org
-
-- Explicitly disable WebRTC support on non-x86, the configure script
- disables it only half-heartedly
-
--------------------------------------------------------------------
-Fri Mar 29 22:15:21 UTC 2013 - wr@rosenauer.org
-
-- update to Firefox 20.0 (bnc#813026)
- * requires NSPR 4.9.5 and NSS 3.14.3
- * mozilla-webrtc-ppc.patch included upstream
- * MFSA 2013-30/CVE-2013-0788/CVE-2013-0789
- Miscellaneous memory safety hazards
- * MFSA 2013-31/CVE-2013-0800 (bmo#825721)
- Out-of-bounds write in Cairo library
- * MFSA 2013-35/CVE-2013-0796 (bmo#827106)
- WebGL crash with Mesa graphics driver on Linux
- * MFSA 2013-36/CVE-2013-0795 (bmo#825697)
- Bypass of SOW protections allows cloning of protected nodes
- * MFSA 2013-37/CVE-2013-0794 (bmo#626775)
- Bypass of tab-modal dialog origin disclosure
- * MFSA 2013-38/CVE-2013-0793 (bmo#803870)
- Cross-site scripting (XSS) using timed history navigations
- * MFSA 2013-39/CVE-2013-0792 (bmo#722831)
- Memory corruption while rendering grayscale PNG images
-- use GStreamer 1.0 starting with 12.3 (mozilla-gstreamer-1.patch)
-
--------------------------------------------------------------------
-Tue Mar 12 23:08:15 UTC 2013 - dmueller@suse.com
-
-- build fixes for armv7hl:
- * disable debug build as armv7hl does not have enough memory
- * disable webrtc on armv7hl as it is non-compiling
-
--------------------------------------------------------------------
-Thu Mar 7 19:03:32 UTC 2013 - wr@rosenauer.org
-
-- update to Firefox 19.0.2 (bnc#808243)
- * MFSA 2013-29/CVE-2013-0787 (bmo#848644)
- Use-after-free in HTML Editor
-
--------------------------------------------------------------------
-Thu Feb 28 22:06:36 UTC 2013 - wr@rosenauer.org
-
-- update to Firefox 19.0.1
- * blocklist updates
-
--------------------------------------------------------------------
-Sat Feb 16 07:08:55 UTC 2013 - wr@rosenauer.org
-
-- update to Firefox 19.0 (bnc#804248)
- * MFSA 2013-21/CVE-2013-0783/2013-0784
- Miscellaneous memory safety hazards
- * MFSA 2013-22/CVE-2013-0772 (bmo#801366)
- Out-of-bounds read in image rendering
- * MFSA 2013-23/CVE-2013-0765 (bmo#830614)
- Wrapped WebIDL objects can be wrapped again
- * MFSA 2013-24/CVE-2013-0773 (bmo#809652)
- Web content bypass of COW and SOW security wrappers
- * MFSA 2013-25/CVE-2013-0774 (bmo#827193)
- Privacy leak in JavaScript Workers
- * MFSA 2013-26/CVE-2013-0775 (bmo#831095)
- Use-after-free in nsImageLoadingContent
- * MFSA 2013-27/CVE-2013-0776 (bmo#796475)
- Phishing on HTTPS connection through malicious proxy
- * MFSA 2013-28/CVE-2013-0780/CVE-2013-0782/CVE-2013-0777/
- CVE-2013-0778/CVE-2013-0779/CVE-2013-0781
- Use-after-free, out of bounds read, and buffer overflow issues
- found using Address Sanitizer
-- removed obsolete patches
- * mozilla-webrtc.patch
- * mozilla-gstreamer-803287.patch
-- added patch to fix session restore window order (bmo#712763)
-
--------------------------------------------------------------------
-Sat Feb 2 08:40:52 UTC 2013 - wr@rosenauer.org
-
-- update to Firefox 18.0.2
- * blocklist and CTP updates
- * fixes in JS engine
-
--------------------------------------------------------------------
-Wed Jan 16 20:51:55 UTC 2013 - wr@rosenauer.org
-
-- update to Firefox 18.0.1
- * blocklist updates
- * backed out bmo#677092 (removed patch)
- * fixed problems involving HTTP proxy transactions
-
--------------------------------------------------------------------
-Sat Jan 12 17:25:11 UTC 2013 - schwab@linux-m68k.org
-
-- Fix WebRTC to build on powerpc
-
--------------------------------------------------------------------
-Sun Jan 6 21:54:18 UTC 2013 - wr@rosenauer.org
-
-- update to Firefox 18.0 (bnc#796895)
- * MFSA 2013-01/CVE-2013-0749/CVE-2013-0769/CVE-2013-0770
- Miscellaneous memory safety hazards
- * MFSA 2013-02/CVE-2013-0760/CVE-2013-0762/CVE-2013-0766/CVE-2013-0767
- CVE-2013-0761/CVE-2013-0763/CVE-2013-0771/CVE-2012-5829
- Use-after-free and buffer overflow issues found using Address Sanitizer
- * MFSA 2013-03/CVE-2013-0768 (bmo#815795)
- Buffer Overflow in Canvas
- * MFSA 2013-04/CVE-2012-0759 (bmo#802026)
- URL spoofing in addressbar during page loads
- * MFSA 2013-05/CVE-2013-0744 (bmo#814713)
- Use-after-free when displaying table with many columns and column groups
- * MFSA 2013-06/CVE-2013-0751 (bmo#790454)
- Touch events are shared across iframes
- * MFSA 2013-07/CVE-2013-0764 (bmo#804237)
- Crash due to handling of SSL on threads
- * MFSA 2013-08/CVE-2013-0745 (bmo#794158)
- AutoWrapperChanger fails to keep objects alive during garbage collection
- * MFSA 2013-09/CVE-2013-0746 (bmo#816842)
- Compartment mismatch with quickstubs returned values
- * MFSA 2013-10/CVE-2013-0747 (bmo#733305)
- Event manipulation in plugin handler to bypass same-origin policy
- * MFSA 2013-11/CVE-2013-0748 (bmo#806031)
- Address space layout leaked in XBL objects
- * MFSA 2013-12/CVE-2013-0750 (bmo#805121)
- Buffer overflow in Javascript string concatenation
- * MFSA 2013-13/CVE-2013-0752 (bmo#805024)
- Memory corruption in XBL with XML bindings containing SVG
- * MFSA 2013-14/CVE-2013-0757 (bmo#813901)
- Chrome Object Wrapper (COW) bypass through changing prototype
- * MFSA 2013-15/CVE-2013-0758 (bmo#813906)
- Privilege escalation through plugin objects
- * MFSA 2013-16/CVE-2013-0753 (bmo#814001)
- Use-after-free in serializeToStream
- * MFSA 2013-17/CVE-2013-0754 (bmo#814026)
- Use-after-free in ListenerManager
- * MFSA 2013-18/CVE-2013-0755 (bmo#814027)
- Use-after-free in Vibrate
- * MFSA 2013-19/CVE-2013-0756 (bmo#814029)
- Use-after-free in Javascript Proxy objects
-- requires NSS 3.14.1 (MFSA 2013-20, CVE-2013-0743)
-- removed obsolete SLE11 patches (mozilla-gcc43*)
-- reenable WebRTC
-- added mozilla-libproxy-compat.patch for libproxy API compat
- on openSUSE 11.2 and earlier
-- backed out restartless language packs as it broke multi-locale
- setup (bmo#677092, bmo#818468)
-
--------------------------------------------------------------------
-Thu Nov 29 19:56:51 UTC 2012 - wr@rosenauer.org
-
-- update to Firefox 17.0.1
- * revert some useragent changes introduced in 17.0
- * leaving private browsing with social enabled doesn't reset all
- social components (bmo#815042)
-- fix KDE integration for file dialogs
-
--------------------------------------------------------------------
-Tue Nov 20 19:52:02 UTC 2012 - wr@rosenauer.org
-
-- update to Firefox 17.0 (bnc#790140)
- * MFSA 2012-91/CVE-2012-5842/CVE-2012-5843
- Miscellaneous memory safety hazards
- * MFSA 2012-92/CVE-2012-4202 (bmo#758200)
- Buffer overflow while rendering GIF images
- * MFSA 2012-93/CVE-2012-4201 (bmo#747607)
- evalInSanbox location context incorrectly applied
- * MFSA 2012-94/CVE-2012-5836 (bmo#792857)
- Crash when combining SVG text on path with CSS
- * MFSA 2012-95/CVE-2012-4203 (bmo#765628)
- Javascript: URLs run in privileged context on New Tab page
- * MFSA 2012-96/CVE-2012-4204 (bmo#778603)
- Memory corruption in str_unescape
- * MFSA 2012-97/CVE-2012-4205 (bmo#779821)
- XMLHttpRequest inherits incorrect principal within sandbox
- * MFSA 2012-99/CVE-2012-4208 (bmo#798264)
- XrayWrappers exposes chrome-only properties when not in chrome
- compartment
- * MFSA 2012-100/CVE-2012-5841 (bmo#805807)
- Improper security filtering for cross-origin wrappers
- * MFSA 2012-101/CVE-2012-4207 (bmo#801681)
- Improper character decoding in HZ-GB-2312 charset
- * MFSA 2012-102/CVE-2012-5837 (bmo#800363)
- Script entered into Developer Toolbar runs with chrome privileges
- * MFSA 2012-103/CVE-2012-4209 (bmo#792405)
- Frames can shadow top.location
- * MFSA 2012-104/CVE-2012-4210 (bmo#796866)
- CSS and HTML injection through Style Inspector
- * MFSA 2012-105/CVE-2012-4214/CVE-2012-4215/CVE-2012-4216/
- CVE-2012-5829/CVE-2012-5839/CVE-2012-5840/CVE-2012-4212/
- CVE-2012-4213/CVE-2012-4217/CVE-2012-4218
- Use-after-free and buffer overflow issues found using Address
- Sanitizer
- * MFSA 2012-106/CVE-2012-5830/CVE-2012-5833/CVE-2012-5835/CVE-2012-5838
- Use-after-free, buffer overflow, and memory corruption issues
- found using Address Sanitizer
-- rebased patches
-- disabled WebRTC since build is broken (bmo#776877)
-
--------------------------------------------------------------------
-Tue Nov 20 15:42:55 UTC 2012 - pcerny@suse.com
-
-- build on SLE11
- * mozilla-gcc43-enums.patch
- * mozilla-gcc43-template_hacks.patch
- * mozilla-gcc43-templates_instantiation.patch
-
--------------------------------------------------------------------
-Wed Oct 24 08:27:29 UTC 2012 - wr@rosenauer.org
-
-- update to Firefox 16.0.2 (bnc#786522)
- * MFSA 2012-90/CVE-2012-4194/CVE-2012-4195/CVE-2012-4196
- (bmo#800666, bmo#793121, bmo#802557)
- Fixes for Location object issues
-- bring back Obsoletes for libproxy's mozjs plugin for distributions
- before 12.2 to avoid crashes
-
--------------------------------------------------------------------
-Thu Oct 11 01:51:16 UTC 2012 - wr@rosenauer.org
-
-- update to Firefox 16.0.1 (bnc#783533)
- * MFSA 2012-88/CVE-2012-4191 (bmo#798045)
- Miscellaneous memory safety hazards
- * MFSA 2012-89/CVE-2012-4192/CVE-2012-4193 (bmo#799952, bmo#720619)
- defaultValue security checks not applied
-
--------------------------------------------------------------------
-Sun Oct 7 21:40:14 UTC 2012 - wr@rosenauer.org
-
-- update to Firefox 16.0 (bnc#783533)
- * MFSA 2012-74/CVE-2012-3982/CVE-2012-3983
- Miscellaneous memory safety hazards
- * MFSA 2012-75/CVE-2012-3984 (bmo#575294)
- select element persistance allows for attacks
- * MFSA 2012-76/CVE-2012-3985 (bmo#655649)
- Continued access to initial origin after setting document.domain
- * MFSA 2012-77/CVE-2012-3986 (bmo#775868)
- Some DOMWindowUtils methods bypass security checks
- * MFSA 2012-79/CVE-2012-3988 (bmo#725770)
- DOS and crash with full screen and history navigation
- * MFSA 2012-80/CVE-2012-3989 (bmo#783867)
- Crash with invalid cast when using instanceof operator
- * MFSA 2012-81/CVE-2012-3991 (bmo#783260)
- GetProperty function can bypass security checks
- * MFSA 2012-82/CVE-2012-3994 (bmo#765527)
- top object and location property accessible by plugins
- * MFSA 2012-83/CVE-2012-3993/CVE-2012-4184 (bmo#768101, bmo#780370)
- Chrome Object Wrapper (COW) does not disallow acces to privileged
- functions or properties
- * MFSA 2012-84/CVE-2012-3992 (bmo#775009)
- Spoofing and script injection through location.hash
- * MFSA 2012-85/CVE-2012-3995/CVE-2012-4179/CVE-2012-4180/
- CVE-2012-4181/CVE-2012-4182/CVE-2012-4183
- Use-after-free, buffer overflow, and out of bounds read issues
- found using Address Sanitizer
- * MFSA 2012-86/CVE-2012-4185/CVE-2012-4186/CVE-2012-4187/
- CVE-2012-4188
- Heap memory corruption issues found using Address Sanitizer
- * MFSA 2012-87/CVE-2012-3990 (bmo#787704)
- Use-after-free in the IME State Manager
-- requires NSPR 4.9.2
-- improve GStreamer integration (bmo#760140)
-- removed upstreamed mozilla-crashreporter-restart-args.patch
-- webapprt now included
-- use kmozillahelper's new REVEAL command (bnc#777415)
- (requires mozilla-kde4-integration >= 0.6.4)
-- updated translations-other with new languages
-
--------------------------------------------------------------------
-Mon Sep 10 19:37:56 UTC 2012 - wr@rosenauer.org
-
-- update to Firefox 15.0.1 (bnc#779936)
- * Sites visited while in Private Browsing mode could be found
- through manual browser cache inspection (bmo#787743)
-
--------------------------------------------------------------------
-Sun Aug 26 13:47:43 UTC 2012 - wr@rosenauer.org
-
-- update to Firefox 15.0 (bnc#777588)
- * MFSA 2012-57/CVE-2012-1970
- Miscellaneous memory safety hazards
- * MFSA 2012-58/CVE-2012-1972/CVE-2012-1973/CVE-2012-1974/CVE-2012-1975
- CVE-2012-1976/CVE-2012-3956/CVE-2012-3957/CVE-2012-3958/CVE-2012-3959
- CVE-2012-3960/CVE-2012-3961/CVE-2012-3962/CVE-2012-3963/CVE-2012-3964
- Use-after-free issues found using Address Sanitizer
- * MFSA 2012-59/CVE-2012-1956 (bmo#756719)
- Location object can be shadowed using Object.defineProperty
- * MFSA 2012-60/CVE-2012-3965 (bmo#769108)
- Escalation of privilege through about:newtab
- * MFSA 2012-61/CVE-2012-3966 (bmo#775794, bmo#775793)
- Memory corruption with bitmap format images with negative height
- * MFSA 2012-62/CVE-2012-3967/CVE-2012-3968
- WebGL use-after-free and memory corruption
- * MFSA 2012-63/CVE-2012-3969/CVE-2012-3970
- SVG buffer overflow and use-after-free issues
- * MFSA 2012-64/CVE-2012-3971
- Graphite 2 memory corruption
- * MFSA 2012-65/CVE-2012-3972 (bmo#746855)
- Out-of-bounds read in format-number in XSLT
- * MFSA 2012-66/CVE-2012-3973 (bmo#757128)
- HTTPMonitor extension allows for remote debugging without explicit
- activation
- * MFSA 2012-68/CVE-2012-3975 (bmo#770684)
- DOMParser loads linked resources in extensions when parsing
- text/html
- * MFSA 2012-69/CVE-2012-3976 (bmo#768568)
- Incorrect site SSL certificate data display
- * MFSA 2012-70/CVE-2012-3978 (bmo#770429)
- Location object security checks bypassed by chrome code
- * MFSA 2012-72/CVE-2012-3980 (bmo#771859)
- Web console eval capable of executing chrome-privileged code
-- fix HTML5 video crash with GStreamer enabled (bmo#761030)
-- GStreamer is only used for MP4 (no WebM, OGG)
-- updated filelist
-- moved browser specific preferences to correct location
-
--------------------------------------------------------------------
-Sun Jul 29 08:34:39 UTC 2012 - aj@suse.de
-
-- Fix mozilla-kde.patch to include sys/resource.h for getrlimit etc (glibc 2.16)
-
--------------------------------------------------------------------
-Sat Jul 14 19:31:51 UTC 2012 - wr@rosenauer.org
-
-- update to 14.0.1 (bnc#771583)
- * MFSA 2012-42/CVE-2012-1949/CVE-2012-1948
- Miscellaneous memory safety hazards
- * MFSA 2012-43/CVE-2012-1950
- Incorrect URL displayed in addressbar through drag and drop
- * MFSA 2012-44/CVE-2012-1951/CVE-2012-1954/CVE-2012-1953/CVE-2012-1952
- Gecko memory corruption
- * MFSA 2012-45/CVE-2012-1955 (bmo#757376)
- Spoofing issue with location
- * MFSA 2012-46/CVE-2012-1966 (bmo#734076)
- XSS through data: URLs
- * MFSA 2012-47/CVE-2012-1957 (bmo#750096)
- Improper filtering of javascript in HTML feed-view
- * MFSA 2012-48/CVE-2012-1958 (bmo#750820)
- use-after-free in nsGlobalWindow::PageHidden
- * MFSA 2012-49/CVE-2012-1959 (bmo#754044, bmo#737559)
- Same-compartment Security Wrappers can be bypassed
- * MFSA 2012-50/CVE-2012-1960 (bmo#761014)
- Out of bounds read in QCMS
- * MFSA 2012-51/CVE-2012-1961 (bmo#761655)
- X-Frame-Options header ignored when duplicated
- * MFSA 2012-52/CVE-2012-1962 (bmo#764296)
- JSDependentString::undepend string conversion results in memory
- corruption
- * MFSA 2012-53/CVE-2012-1963 (bmo#767778)
- Content Security Policy 1.0 implementation errors cause data
- leakage
- * MFSA 2012-55/CVE-2012-1965 (bmo#758990)
- feed: URLs with an innerURI inherit security context of page
- * MFSA 2012-56/CVE-2012-1967 (bmo#758344)
- Code execution through javascript: URLs
-- license change from tri license to MPL-2.0
-- fix crashreporter restart option (bmo#762780)
-- require NSS 3.13.5
-- remove mozjs pacrunner obsoletes again for now
-- adopted mozilla-prefer_plugin_pref.patch
-- PPC fixes:
- * reenabled mozilla-yarr-pcre.patch to fix build for PPC
- * add patches for bmo#750620 and bmo#746112
- * fix xpcshell segfault on ppc
-
--------------------------------------------------------------------
-Fri Jun 15 12:37:09 UTC 2012 - wr@rosenauer.org
-
-- update to Firefox 13.0.1
- * bugfix release
-- obsolete libproxy's mozjs pacrunner (bnc#759123)
-
--------------------------------------------------------------------
-Sat Jun 2 08:22:51 UTC 2012 - wr@rosenauer.org
-
-- update to Firefox 13.0 (bnc#765204)
- * MFSA 2012-34/CVE-2012-1938/CVE-2012-1937/CVE-2011-3101
- Miscellaneous memory safety hazards
- * MFSA 2012-36/CVE-2012-1944 (bmo#751422)
- Content Security Policy inline-script bypass
- * MFSA 2012-37/CVE-2012-1945 (bmo#670514)
- Information disclosure though Windows file shares and shortcut
- files
- * MFSA 2012-38/CVE-2012-1946 (bmo#750109)
- Use-after-free while replacing/inserting a node in a document
- * MFSA 2012-40/CVE-2012-1947/CVE-2012-1940/CVE-2012-1941
- Buffer overflow and use-after-free issues found using Address
- Sanitizer
-- require NSS 3.13.4
- * MFSA 2012-39/CVE-2012-0441 (bmo#715073)
-- fix sound notifications when filename/path contains a whitespace
- (bmo#749739)
-
--------------------------------------------------------------------
-Wed May 23 14:40:16 UTC 2012 - adrian@suse.de
-
-- fix build on arm
-
--------------------------------------------------------------------
-Wed May 16 05:34:01 UTC 2012 - wr@rosenauer.org
-
-- reenabled crashreporter for Factory/12.2
- (fix in mozilla-gcc47.patch)
-
--------------------------------------------------------------------
-Sat Apr 21 10:02:37 UTC 2012 - wr@rosenauer.org
-
-- update to Firefox 12.0 (bnc#758408)
- * rebased patches
- * MFSA 2012-20/CVE-2012-0467/CVE-2012-0468
- Miscellaneous memory safety hazards
- * MFSA 2012-22/CVE-2012-0469 (bmo#738985)
- use-after-free in IDBKeyRange
- * MFSA 2012-23/CVE-2012-0470 (bmo#734288)
- Invalid frees causes heap corruption in gfxImageSurface
- * MFSA 2012-24/CVE-2012-0471 (bmo#715319)
- Potential XSS via multibyte content processing errors
- * MFSA 2012-25/CVE-2012-0472 (bmo#744480)
- Potential memory corruption during font rendering using cairo-dwrite
- * MFSA 2012-26/CVE-2012-0473 (bmo#743475)
- WebGL.drawElements may read illegal video memory due to
- FindMaxUshortElement error
- * MFSA 2012-27/CVE-2012-0474 (bmo#687745, bmo#737307)
- Page load short-circuit can lead to XSS
- * MFSA 2012-28/CVE-2012-0475 (bmo#694576)
- Ambiguous IPv6 in Origin headers may bypass webserver access
- restrictions
- * MFSA 2012-29/CVE-2012-0477 (bmo#718573)
- Potential XSS through ISO-2022-KR/ISO-2022-CN decoding issues
- * MFSA 2012-30/CVE-2012-0478 (bmo#727547)
- Crash with WebGL content using textImage2D
- * MFSA 2012-31/CVE-2011-3062 (bmo#739925)
- Off-by-one error in OpenType Sanitizer
- * MFSA 2012-32/CVE-2011-1187 (bmo#624621)
- HTTP Redirections and remote content can be read by javascript errors
- * MFSA 2012-33/CVE-2012-0479 (bmo#714631)
- Potential site identity spoofing when loading RSS and Atom feeds
-- added mozilla-libnotify.patch to allow fallback from libnotify
- to xul based events if no notification-daemon is running
-- gcc 4.7 fixes
- * mozilla-gcc47.patch
- * disabled crashreporter temporarily for Factory
-- recommend libcanberra0 for proper sound notifications
-
--------------------------------------------------------------------
-Fri Mar 9 21:47:07 UTC 2012 - wr@rosenauer.org
-
-- update to Firefox 11.0 (bnc#750044)
- * MFSA 2012-13/CVE-2012-0455 (bmo#704354)
- XSS with Drag and Drop and Javascript: URL
- * MFSA 2012-14/CVE-2012-0456/CVE-2012-0457 (bmo#711653, #720103)
- SVG issues found with Address Sanitizer
- * MFSA 2012-15/CVE-2012-0451 (bmo#717511)
- XSS with multiple Content Security Policy headers
- * MFSA 2012-16/CVE-2012-0458
- Escalation of privilege with Javascript: URL as home page
- * MFSA 2012-17/CVE-2012-0459 (bmo#723446)
- Crash when accessing keyframe cssText after dynamic modification
- * MFSA 2012-18/CVE-2012-0460 (bmo#727303)
- window.fullScreen writeable by untrusted content
- * MFSA 2012-19/CVE-2012-0461/CVE-2012-0462/CVE-2012-0464/
- CVE-2012-0463
- Miscellaneous memory safety hazards
-- ported and reenabled KDE integration (bnc#746591)
-- explicitely build-require X libs
-
--------------------------------------------------------------------
-Mon Mar 5 13:31:48 UTC 2012 - vdziewiecki@suse.com
-
-- add Provides: browser(npapi) FATE#313084
-
--------------------------------------------------------------------
-Fri Feb 17 17:41:11 UTC 2012 - pcerny@suse.com
-
-- better plugin directory resolution (bnc#747320)
-
--------------------------------------------------------------------
-Thu Feb 16 08:47:31 UTC 2012 - wr@rosenauer.org
-
-- update to Firefox 10.0.2 (bnc#747328)
- * CVE-2011-3026 (bmo#727401)
- libpng: integer overflow leading to heap-buffer overflow
-
--------------------------------------------------------------------
-Thu Feb 9 09:26:11 UTC 2012 - wr@rosenauer.org
-
-- update to Firefox 10.0.1 (bnc#746616)
- * MFSA 2012-10/CVE-2012-0452 (bmo#724284)
- use after free in nsXBLDocumentInfo::ReadPrototypeBindings
-
--------------------------------------------------------------------
-Tue Feb 7 10:40:58 UTC 2012 - dvaleev@suse.com
-
-- Use YARR interpreter instead of PCRE on platforms where YARR JIT
- is not supported, since PCRE doesnt build (bmo#691898)
-- fix ppc64 build (bmo#703534)
-
--------------------------------------------------------------------
-Mon Jan 30 09:41:59 UTC 2012 - wr@rosenauer.org
-
-- update to Firefox 10.0 (bnc#744275)
- * MFSA 2012-01/CVE-2012-0442/CVE-2012-0443
- Miscellaneous memory safety hazards
- * MFSA 2012-03/CVE-2012-0445 (bmo#701071)
- <iframe> element exposed across domains via name attribute
- * MFSA 2012-04/CVE-2011-3659 (bmo#708198)
- Child nodes from nsDOMAttribute still accessible after removal
- of nodes
- * MFSA 2012-05/CVE-2012-0446 (bmo#705651)
- Frame scripts calling into untrusted objects bypass security
- checks
- * MFSA 2012-06/CVE-2012-0447 (bmo#710079)
- Uninitialized memory appended when encoding icon images may
- cause information disclosure
- * MFSA 2012-07/CVE-2012-0444 (bmo#719612)
- Potential Memory Corruption When Decoding Ogg Vorbis files
- * MFSA 2012-08/CVE-2012-0449 (bmo#701806, bmo#702466)
- Crash with malformed embedded XSLT stylesheets
-- KDE integration has been disabled since it needs refactoring
-- removed obsolete ppc64 patch
-
--------------------------------------------------------------------
-Sun Jan 22 12:08:07 UTC 2012 - joop.boonen@opensuse.org
-
-- Disable neon for arm as it doesn't build correctly
-
--------------------------------------------------------------------
-Fri Dec 23 17:02:01 UTC 2011 - wr@rosenauer.org
-
-- update to Firefox 9.0.1
- * (strongparent) parentNode of element gets lost (bmo#335998)
-
--------------------------------------------------------------------
-Sun Dec 18 09:58:52 UTC 2011 - adrian@suse.de
-
-- fix arm build, don't package crashreporter there
-
--------------------------------------------------------------------
-Sun Dec 18 09:52:08 UTC 2011 - wr@rosenauer.org
-
-- update to Firefox 9 (bnc#737533)
- * MFSA 2011-53/CVE-2011-3660
- Miscellaneous memory safety hazards (rv:9.0)
- * MFSA 2011-54/CVE-2011-3661 (bmo#691299)
- Potentially exploitable crash in the YARR regular expression
- library
- * MFSA 2011-55/CVE-2011-3658 (bmo#708186)
- nsSVGValue out-of-bounds access
- * MFSA 2011-56/CVE-2011-3663 (bmo#704482)
- Key detection without JavaScript via SVG animation
- * MFSA 2011-58/VE-2011-3665 (bmo#701259)
- Crash scaling <video> to extreme sizes
-
--------------------------------------------------------------------
-Sun Nov 27 03:51:54 UTC 2011 - mgorse@suse.com
-
-- Fix accessibility under GNOME 3 (bnc#732898)
-
--------------------------------------------------------------------
-Sat Nov 12 15:16:38 UTC 2011 - dvaleev@suse.com
-
-- fix ppc64 build
-
--------------------------------------------------------------------
-Sun Nov 6 08:20:59 UTC 2011 - wr@rosenauer.org
-
-- update to Firefox 8 (bnc#728520)
- * MFSA 2011-47/CVE-2011-3648 (bmo#690225)
- Potential XSS against sites using Shift-JIS
- * MFSA 2011-48/CVE-2011-3651/CVE-2011-3652/CVE-2011-3654
- Miscellaneous memory safety hazards
- * MFSA 2011-49/CVE-2011-3650 (bmo#674776)
- Memory corruption while profiling using Firebug
- * MFSA 2011-52/CVE-2011-3655 (bmo#672182)
- Code execution via NoWaiverWrapper
-- rebased patches
-
--------------------------------------------------------------------
-Thu Oct 20 12:34:47 UTC 2011 - wr@rosenauer.org
-
-- enable telemetry prompt
-
--------------------------------------------------------------------
-Fri Sep 30 10:52:36 UTC 2011 - wr@rosenauer.org
-
-- update to minor release 7.0.1
- * fixed staged addon updates
-- set intl.locale.matchOS=true in the base package as it causes
- too much confusion when it's only available with branding-openSUSE
-
--------------------------------------------------------------------
-Fri Sep 23 11:22:22 UTC 2011 - wr@rosenauer.org
-
-- update to Firefox 7 (bnc#720264)
- including
- * Improve Responsiveness with Memory Reductions
- * Instant Sync
- * WebSocket protocol 8
- * MFSA 2011-36/CVE-2011-2995/CVE-2011-2996/CVE-2011-2997
- Miscellaneous memory safety hazards
- * MFSA 2011-39/CVE-2011-3000 (bmo#655389)
- Defense against multiple Location headers due to CRLF Injection
- * MFSA 2011-40/CVE-2011-2372/CVE-2011-3001
- Code installation through holding down Enter
- * MFSA 2011-41/CVE-2011-3002/CVE-2011-3003 (bmo#680840, bmo#682335)
- Potentially exploitable WebGL crashes
- * MFSA 2011-42/CVE-2011-3232 (bmo#653672)
- Potentially exploitable crash in the YARR regular expression
- library
- * MFSA 2011-43/CVE-2011-3004 (bmo#653926)
- loadSubScript unwraps XPCNativeWrapper scope parameter
- * MFSA 2011-44/CVE-2011-3005 (bmo#675747)
- Use after free reading OGG headers
- * MFSA 2011-45
- Inferring keystrokes from motion data
-- removed obsolete mozilla-cairo-lcd.patch
-- rebased patches
-- removed XLIB_SKIP_ARGB_VISUALS=1 from environment in
- mozilla.sh.in (bnc#680758)
-
--------------------------------------------------------------------
-Fri Sep 16 06:57:38 UTC 2011 - wr@rosenauer.org
-
-- fixed loading of kde.js under KDE (bnc#718311)
-
--------------------------------------------------------------------
-Wed Sep 14 07:02:04 UTC 2011 - wr@rosenauer.org
-
-- add dbus-1-glib-devel to BuildRequires (not pulled in
- automatically anymore on 12.1)
-- increase minversions for NSPR and NSS
-
--------------------------------------------------------------------
-Fri Sep 9 20:44:15 UTC 2011 - wr@rosenauer.org
-
-- recreated source archive to get correct source-stamp.txt
-
--------------------------------------------------------------------
-Wed Sep 7 14:30:34 UTC 2011 - pcerny@suse.com
-
-- security update to 6.0.2 (bnc#714931)
- * Complete blocking of certificates issued by DigiNotar
- (bmo#683449)
-
--------------------------------------------------------------------
-Fri Sep 2 14:40:07 UTC 2011 - pcerny@suse.com
-
-- security update to 6.0.1 (bnc#714931)
- * MFSA 2011-34
- Protection against fraudulent DigiNotar certificates
- (bmo#682927)
-
--------------------------------------------------------------------
-Fri Aug 12 21:16:19 UTC 2011 - wr@rosenauer.org
-
-- update to 6.0 (bnc#712224)
- included security fixes MFSA 2011-29
- * CVE-2011-2989/CVE-2011-2991/CVE-2011-2992/CVE-2011-2985
- Miscellaneous memory safety hazards
- * CVE-2011-2993 (bmo#657267)
- Unsigned scripts can call script inside signed JAR
- * CVE-2011-2988 (bmo#665934)
- Heap overflow in ANGLE library
- * CVE-2011-0084 (bmo#648094)
- Crash in SVGTextElement.getCharNumAtPosition()
- * CVE-2011-2990
- Credential leakage using Content Security Policy reports
- * CVE-2011-2986 (bmo#655836)
- Cross-origin data theft using canvas and Windows D2D
-- removed obsolete curl header dependency (mozilla-curl.patch)
-
--------------------------------------------------------------------
-Fri Jul 22 13:34:12 UTC 2011 - wr@rosenauer.org
-
-- update to 6.0b3
- * removed obsolete patches
- - firefox-shellservice.patch
- - mozilla-gio.patch
- - mozilla-ppc-ipc.patch
- - firefox-linkorder.patch
- - firefox-no-sync-l10n.patch
-- recognize linux3 as platform for symbolstore.py
-
--------------------------------------------------------------------
-Fri Jul 1 19:53:18 CEST 2011 - vuntz@opensuse.org
-
-- Add x-scheme-handler/ftp to the MimeType key in the .desktop, to
- let desktops know that Firefox can deal with ftp: URIs.
-
--------------------------------------------------------------------
-Fri Jul 1 06:45:08 UTC 2011 - wr@rosenauer.org
-
-- create upstream branding package again (supposedly empty)
- (bnc#703401)
-- fix build on SLE11 (changes do not affect/are not applied for
- later versions)
-
--------------------------------------------------------------------
-Wed Jun 22 06:41:17 UTC 2011 - wr@rosenauer.org
-
-- enable startup notification (bnc#701465)
-
--------------------------------------------------------------------
-Mon Jun 20 19:37:01 UTC 2011 - wr@rosenauer.org
-
-- update to 5.0 final
-- included fixes for security issues: (bnc#701296, bnc#700578)
- * MFSA 2011-19/CVE-2011-2374 CVE-2011-2375
- Miscellaneous memory safety hazards
- * MFSA 2011-20/CVE-2011-2373 (bmo#617247)
- Use-after-free vulnerability when viewing XUL document with
- script disabled
- * MFSA 2011-21/CVE-2011-2377 (bmo#638018, bmo#639303)
- Memory corruption due to multipart/x-mixed-replace images
- * MFSA 2011-22/CVE-2011-2371 (bmo#664009)
- Integer overflow and arbitrary code execution in
- Array.reduceRight()
- * MFSA 2011-25/CVE-2011-2366
- Stealing of cross-domain images using WebGL textures
- * MFSA 2011-26/CVE-2011-2367 CVE-2011-2368
- Multiple WebGL crashes
- * MFSA 2011-27/CVE-2011-2369 (bmo#650001)
- XSS encoding hazard with inline SVG
- * MFSA 2011-28/CVE-2011-2370 (bmo#645699)
- Non-whitelisted site can trigger xpinstall
-
--------------------------------------------------------------------
-Mon Jun 20 09:17:42 UTC 2011 - wr@rosenauer.org
-
-- update to 5.0b7
- * updated supported locales
-- do not build dump_syms static (not needed for us)
- -> fix build for openSUSE 12.1 and above
-
--------------------------------------------------------------------
-Wed Jun 15 14:59:32 UTC 2011 - wr@rosenauer.org
-
-- update to 5.0b6
-- include proper revision information into the build
-- speedier find-external-requires.sh
-
--------------------------------------------------------------------
-Tue May 31 06:53:55 UTC 2011 - wr@rosenauer.org
-
-- update to 5.0b3
-- transformed to standalone Firefox (not xulrunner based)
- (with new Firefox rapid release cycle it makes no sense anymore)
- * imported all relevant xulrunner patches
-- do not compile in build timestamp
-
--------------------------------------------------------------------
-Fri Apr 15 07:08:53 UTC 2011 - wr@rosenauer.org
-
-- security update to 4.0.1 (bnc#689281)
- * MFSA 2011-12/ CVE-2011-0069 CVE-2011-0070 CVE-2011-0079
- CVE-2011-0080 CVE-2011-0081
- Miscellaneous memory safety hazards
- * MFSA 2011-17/CVE-2011-0068 (bmo#623791)
- WebGLES vulnerabilities
- * MFSA 2011-18/CVE-2011-1202 (bmo#640339)
- XSLT generate-id() function heap address leak
-
--------------------------------------------------------------------
-Wed Mar 30 11:24:36 UTC 2011 - wr@rosenauer.org
-
-- add all available icon sizes
-
--------------------------------------------------------------------
-Tue Mar 29 11:55:53 UTC 2011 - cfarrell@novell.com
-
-- license update: MPLv1.1 or GPLv2+ or LGPLv2+
- Sync licenses with Fedora. MPL does not state ^or later^
-
--------------------------------------------------------------------
-Fri Mar 18 08:49:15 UTC 2011 - wr@rosenauer.org
-
-- update to version 4.0rc2
-- fixed rpm macros delivered with devel package (bnc#679950)
-
--------------------------------------------------------------------
-Wed Feb 23 07:52:04 UTC 2011 - wr@rosenauer.org
-
-- update to version 4.0b12
-- rebased patches
-
--------------------------------------------------------------------
-Fri Feb 4 09:32:50 UTC 2011 - wr@rosenauer.org
-
-- update to version 4.0b11
- * loads of bugfixes compared to last beta
- * added "Do Not Track" option
-- rebased patches
-- disable testpilot
-
--------------------------------------------------------------------
-Fri Jan 28 08:56:12 UTC 2011 - wr@rosenauer.org
-
-- set correct desktop file name within KDE for 11.4 and up
-- add devel package with macros for extensions (from lnussel@suse.de)
-
--------------------------------------------------------------------
-Sat Jan 22 22:21:52 UTC 2011 - wr@rosenauer.org
-
-- update to version 4.0b10
-- removed obsolete firefox-shell-bmo624267.patch
-- testpilot moved to distribution/extensions
-- updated locale provides and removed bn-IN from locales
-
--------------------------------------------------------------------
-Tue Jan 11 06:13:40 UTC 2011 - wr@rosenauer.org
-
-- update to version 4.0b9
-- added x-scheme-handler for http and https to desktop file for
- newer Gnome environments
-- fixed default browser check/set for GIO (bmo#611953)
- (mozilla-shellservice.patch)
-- removed obsolete firefox-appname.patch (integrated into
- shellservice patch)
-- renamed desktop file to firefox.desktop for 11.4 and newer
- (bnc#664211)
-- removed support for 10.3 and older from the spec file
-- removed obsolete "Ximian" categories from desktop file
-
--------------------------------------------------------------------
-Mon Jan 3 17:35:46 CET 2011 - meissner@suse.de
-
-- Mirror ac_add_options --disable-ipc from xulrunner for PowerPC.
-
--------------------------------------------------------------------
-Wed Dec 15 07:49:45 UTC 2010 - wr@rosenauer.org
-
-- update to version 4.0beta8
-
--------------------------------------------------------------------
-Tue Nov 30 14:19:59 UTC 2010 - wr@rosenauer.org
-
-- major update to version 4.0beta7
- * based on mozilla-xulrunner20
- * far too many internal changes to list
-
--------------------------------------------------------------------
-Wed Oct 27 07:12:14 CEST 2010 - wr@rosenauer.org
-
-- security update to 3.6.12 (bnc#649492)
- * MFSA 2010-73/CVE-2010-3765 (bmo#607222)
- Heap buffer overflow mixing document.write and DOM insertion
-
--------------------------------------------------------------------
-Wed Oct 6 07:13:52 CEST 2010 - wr@rosenauer.org
-
-- security update to 3.6.11 (bnc#645315)
- * MFSA 2010-64/CVE-2010-3174/CVE-2010-3175/CVE-2010-3176
- Miscellaneous memory safety hazards
- * MFSA 2010-65/CVE-2010-3179 (bmo#583077)
- Buffer overflow and memory corruption using document.write
- * MFSA 2010-66/CVE-2010-3180 (bmo#588929)
- Use-after-free error in nsBarProp
- * MFSA 2010-67/CVE-2010-3183 (bmo#598669)
- Dangling pointer vulnerability in LookupGetterOrSetter
- * MFSA 2010-68/CVE-2010-3177 (bmo#556734)
- XSS in gopher parser when parsing hrefs
- * MFSA 2010-69/CVE-2010-3178 (bmo#576616)
- Cross-site information disclosure via modal calls
- * MFSA 2010-70/CVE-2010-3170 (bmo#578697)
- SSL wildcard certificate matching IP addresses
- * MFSA 2010-71/CVE-2010-3182 (bmo#590753)
- Unsafe library loading vulnerabilities
- * MFSA 2010-72/CVE-2010-3173
- Insecure Diffie-Hellman key exchange
-
--------------------------------------------------------------------
-Wed Sep 15 07:39:22 CEST 2010 - wr@rosenauer.org
-
-- update to 3.6.10
- * fixing startup topcrash (bmo#594699)
-
--------------------------------------------------------------------
-Thu Aug 26 07:40:28 CEST 2010 - wr@rosenauer.org
-
-- security update to 3.6.9 (bnc#637303)
- * MFSA 2010-49/CVE-2010-3169
- Miscellaneous memory safety hazards
- * MFSA 2010-50/CVE-2010-2765 (bmo#576447)
- Frameset integer overflow vulnerability
- * MFSA 2010-51/CVE-2010-2767 (bmo#584512)
- Dangling pointer vulnerability using DOM plugin array
- * MFSA 2010-53/CVE-2010-3166 (bmo#579655)
- Heap buffer overflow in nsTextFrameUtils::TransformText
- * MFSA 2010-54/CVE-2010-2760 (bmo#585815)
- Dangling pointer vulnerability in nsTreeSelection
- * MFSA 2010-55/CVE-2010-3168 (bmo#576075)
- XUL tree removal crash and remote code execution
- * MFSA 2010-56/CVE-2010-3167 (bmo#576070)
- Dangling pointer vulnerability in nsTreeContentView
- * MFSA 2010-57/CVE-2010-2766 (bmo#580445)
- Crash and remote code execution in normalizeDocument
- * MFSA 2010-59/CVE-2010-2762 (bmo#584180)
- SJOW creates scope chains ending in outer object
- * MFSA 2010-61/CVE-2010-2768 (bmo#579744)
- UTF-7 XSS by overriding document charset using <object> type
- attribute
- * MFSA 2010-62/CVE-2010-2769 (bmo#520189)
- Copy-and-paste or drag-and-drop into designMode document allows
- XSS
- * MFSA 2010-63/CVE-2010-2764 (bmo#552090)
- Information leak via XMLHttpRequest statusText
-
--------------------------------------------------------------------
-Wed Jul 28 08:33:14 CEST 2010 - meissner@suse.de
-
-- disable crash reporter for non x86/x86_64 to make it build.
-
--------------------------------------------------------------------
-Sat Jul 24 12:42:58 CEST 2010 - wr@rosenauer.org
-
-- security update to 3.6.8 (bnc#622506)
- * MFSA 2010-48/CVE-2010-2755 (bmo#575836)
- Dangling pointer crash regression from plugin parameter array
- fix
-
--------------------------------------------------------------------
-Fri Jul 16 06:48:44 CEST 2010 - wr@rosenauer.org
-
-- security update to 3.6.7 (bnc#622506)
- * MFSA 2010-34/CVE-2010-1211/CVE-2010-1212
- Miscellaneous memory safety hazards
- * MFSA 2010-35/CVE-2010-1208 (bmo#572986)
- DOM attribute cloning remote code execution vulnerability
- * MFSA 2010-36/CVE-2010-1209 (bmo#552110)
- Use-after-free error in NodeIterator
- * MFSA 2010-37/CVE-2010-1214 (bmo#572985)
- Plugin parameter EnsureCachedAttrParamArrays remote code
- execution vulnerability
- * MFSA 2010-38/CVE-2010-1215 (bmo#567069)
- Arbitrary code execution using SJOW and fast native function
- * MFSA 2010-39/CVE-2010-2752 (bmo#574059)
- nsCSSValue::Array index integer overflow
- * MFSA 2010-40/CVE-2010-2753 (bmo#571106)
- nsTreeSelection dangling pointer remote code execution
- vulnerability
- * MFSA 2010-41/CVE-2010-1205 (bmo#570451)
- Remote code execution using malformed PNG image
- * MFSA 2010-42/CVE-2010-1213 (bmo#568148)
- Cross-origin data disclosure via Web Workers and importScripts
- * MFSA 2010-43/CVE-2010-1207 (bmo#571287)
- Same-origin bypass using canvas context
- * MFSA 2010-44/CVE-2010-1210 (bmo#564679)
- Characters mapped to U+FFFD in 8 bit encodings cause subsequent
- character to vanish
- * MFSA 2010-45/CVE-2010-1206/CVE-2010-2751 (bmo#536466,556957)
- Multiple location bar spoofing vulnerabilities
- * MFSA 2010-46/CVE-2010-0654 (bmo#524223)
- Cross-domain data theft using CSS
- * MFSA 2010-47/CVE-2010-2754 (bmo#568564)
- Cross-origin data leakage from script filename in error messages
-
--------------------------------------------------------------------
-Sun Jun 27 20:24:31 CEST 2010 - wr@rosenauer.org
-
-- update to 3.6.6 release
- * modifies the crash protection feature to increase the amount
- of time that plugins are allowed to be non-responsive before
- being terminated.
-
--------------------------------------------------------------------
-Wed Jun 23 14:40:35 CEST 2010 - wr@rosenauer.org
-
-- update to final 3.6.4 release (bnc#603356)
- * MFSA 2010-26/CVE-2010-1200/CVE-2010-1201/CVE-2010-1202/
- CVE-2010-1203
- Crashes with evidence of memory corruption (rv:1.9.2.4)
- * MFSA 2010-28/CVE-2010-1198 (bmo#532246)
- Freed object reuse across plugin instances
- * MFSA 2010-29/CVE-2010-1196 (bmo#534666)
- Heap buffer overflow in nsGenericDOMDataNode::SetTextInternal
- * MFSA 2010-30/CVE-2010-1199 (bmo#554255)
- Integer Overflow in XSLT Node Sorting
- * MFSA 2010-31/CVE-2010-1125 (bmo#552255)
- focus() behavior can be used to inject or steal keystrokes
- * MFSA 2010-32/CVE-2010-1197 (bmo#537120)
- Content-Disposition: attachment ignored if
- Content-Type: multipart also present
- * MFSA 2010-33/CVE-2008-5913 (bmo#475585)
- User tracking across sites using Math.random()
-
--------------------------------------------------------------------
-Mon Jun 7 07:07:33 CEST 2010 - wr@rosenauer.org
-
-- update to 3.6.4(build6)
-
--------------------------------------------------------------------
-Sun Apr 18 09:42:40 CEST 2010 - wr@rosenauer.org
-
-- security update to 3.6.4 (Lorentz)
- * enable crashreporter also for x86-64
- * Flash runs in a separate process to avoid crashing Firefox
- (ix86 only; x86-64 still uses nspluginwrapper)
-
--------------------------------------------------------------------
-Thu Apr 1 11:15:38 UTC 2010 - wr@rosenauer.org
-
-- security update to 3.6.3
- * MFSA 2010-25/CVE-2010-1121 (bmo#555109)
- Re-use of freed object due to scope confusion
-
--------------------------------------------------------------------
-Thu Mar 18 06:43:33 CET 2010 - wr@rosenauer.org
-
-- security update to version 3.6.2 (bnc#586567)
- * MFSA 2010-08/CVE-2010-1028
- WOFF heap corruption due to integer overflow
- * MFSA 2010-09/CVE-2010-0164 (bmo#547143)
- Deleted frame reuse in multipart/x-mixed-replace image
- * MFSA 2010-10/CVE-2010-0170 (bmo#541530)
- XSS via plugins and unprotected Location object
- * MFSA 2010-11/CVE-2010-0165/CVE-2010-0166/CVE-2010-0167
- Crashes with evidence of memory corruption
- * MFSA 2010-12/CVE-2010-0171 (bmo#531364)
- XSS using addEventListener and setTimeout on a wrapped object
- * MFSA 2010-13/CVE-2010-0168 (bmo#540642)
- Content policy bypass with image preloading
- * MFSA 2010-14/CVE-2010-0169 (bmo#535806)
- Browser chrome defacement via cached XUL stylesheets
- * MFSA 2010-15/CVE-2010-0172 (bmo#537862)
- Asynchronous Auth Prompt attaches to wrong window
- * MFSA 2010-16/CVE-2010-0173/CVE-2010-0174
- Crashes with evidence of memory corruption
- * MFSA 2010-18/CVE-2010-0176 (bmo#538308)
- Dangling pointer vulnerability in nsTreeContentView
- * MFSA 2010-19/CVE-2010-0177 (bmo#538310)
- Dangling pointer vulnerability in nsPluginArray
- * MFSA 2010-20/CVE-2010-0178 (bmo#546909)
- Chrome privilege escalation via forced URL drag and drop
- * MFSA 2010-22/CVE-2009-3555 (bmo#545755)
- Update NSS to support TLS renegotiation indication
- * MFSA 2010-23/CVE-2010-0181 (bmo#452093)
- Image src redirect to mailto: URL opens email editor
- * MFSA 2010-24/CVE-2010-0182 (bmo#490790)
- XMLDocument::load() doesn't check nsIContentPolicy
-
--------------------------------------------------------------------
-Mon Jan 18 09:42:50 CET 2010 - wr@rosenauer.org
-
-- update to 3.6rc2 (already named 3.6.0)
-- removed obsolete orbit-devel build requirement
-
--------------------------------------------------------------------
-Wed Jan 6 17:15:40 CET 2010 - wr@rosenauer.org
-
-- major update to 3.6rc1
-
--------------------------------------------------------------------
-Fri Dec 25 09:39:42 CET 2009 - wr@rosenauer.org
-
-- update to version 3.5.7 (bnc#568011)
- * DNS resolution in MakeSN of nsAuthSSPI causing issues for
- proxy servers that support NTLM auth (bmo#535193)
-- added missing lockdown preferences (bnc#567131)
-
--------------------------------------------------------------------
-Thu Dec 17 20:06:38 CET 2009 - wr@rosenauer.org
-
-- readded firefox-ui-lockdown.patch (bnc#546158)
-
--------------------------------------------------------------------
-Thu Dec 3 21:53:59 CET 2009 - wr@rosenauer.org
-
-- security update to version 3.5.6 (bnc#559807)
- * MFSA 2009-65/CVE-2009-3979/CVE-2009-3980/CVE-2009-3982
- Crashes with evidence of memory corruption (rv:1.9.1.6)
- * MFSA 2009-66/CVE-2009-3388 (bmo#504843,bmo#523816)
- Memory safety fixes in liboggplay media library
- * MFSA 2009-67/CVE-2009-3389 (bmo#515882,bmo#504613)
- Integer overflow, crash in libtheora video library
- * MFSA 2009-68/CVE-2009-3983 (bmo#487872)
- NTLM reflection vulnerability
- * MFSA 2009-69/CVE-2009-3984/CVE-2009-3985 (bmo#521461,bmo#514232)
- Location bar spoofing vulnerabilities
- * MFSA 2009-70/VE-2009-3986 (bmo#522430)
- Privilege escalation via chrome window.opener
-- fixed firefox-browser-css.patch (bnc#561027)
-
--------------------------------------------------------------------
-Mon Nov 23 22:31:21 CET 2009 - wr@rosenauer.org
-
-- rebased patches for fuzz=0
-
--------------------------------------------------------------------
-Thu Nov 5 19:49:33 UTC 2009 - wr@rosenauer.org
-
-- update to version 3.5.5 (bnc#553172)
-
--------------------------------------------------------------------
-Sat Oct 17 23:19:23 CEST 2009 - wr@rosenauer.org
-
-- security update to version 3.5.4 (bnc#545277)
- * MFSA 2009-52/CVE-2009-3370 (bmo#511615)
- Form history vulnerable to stealing
- * MFSA 2009-53/CVE-2009-3274 (bmo#514823)
- Local downloaded file tampering
- * MFSA 2009-54/CVE-2009-3371 (bmo#514554)
- Crash with recursive web-worker calls
- * MFSA 2009-55/CVE-2009-3372 (bmo#500644)
- Crash in proxy auto-configuration regexp parsing
- * MFSA 2009-56/CVE-2009-3373 (bmo#511689)
- Heap buffer overflow in GIF color map parser
- * MFSA 2009-57/CVE-2009-3374 (bmo#505988)
- Chrome privilege escalation in XPCVariant::VariantDataToJS()
- * MFSA 2009-59/CVE-2009-1563 (bmo#516396, bmo#516862)
- Heap buffer overflow in string to number conversion
- * MFSA 2009-61/CVE-2009-3375 (bmo#503226)
- Cross-origin data theft through document.getSelection()
- * MFSA 2009-62/CVE-2009-3376 (bmo#511521)
- Download filename spoofing with RTL override
- * MFSA 2009-63/CVE-2009-3377/CVE-2009-3379/CVE-2009-3378
- Upgrade media libraries to fix memory safety bugs
- * MFSA 2009-64/CVE-2009-3380/CVE-2009-3381/CVE-2009-3383
- Crashes with evidence of memory corruption
-- removed upstreamed patch
- * firefox-bug506901.patch
-
--------------------------------------------------------------------
-Wed Oct 7 20:11:24 CEST 2009 - llunak@novell.com
-
-- fix KDE button order in one more place (bnc#170055)
-
--------------------------------------------------------------------
-Fri Oct 2 20:26:49 CEST 2009 - wr@rosenauer.org
-
-- improve UI colors to be usable with dark themes at all
- (firefox-browser-css.patch) (bnc#503351)
-- extend list of supported architectures as ABI identifier
- (mozilla-abi.patch) (bnc#543460)
-
--------------------------------------------------------------------
-Mon Sep 14 00:07:55 CEST 2009 - wr@rosenauer.org
-
-- added KDE integration patch from llunak@novell.com
- (firefox-kde.patch)
- * support for knotify, making -kde4-addon obsolete
- * KDE-specific support functional (bnc#170055)
-- do not build libnkgnomevfs (bmo#512671) (firefox-no-gnomevfs)
-
--------------------------------------------------------------------
-Thu Sep 10 09:34:26 CEST 2009 - wr@rosenauer.org
-
-- security update to version 3.5.3 (bnc#534458)
- * MFSA 2009-47/CVE-2009-3069/CVE-2009-3070/CVE-2009-3071/
- CVE-2009-3072/CVE-2009-3073/CVE-2009-3074/CVE-2009-3075
- Crashes with evidence of memory corruption
- * MFSA 2009-49/CVE-2009-3077 (bmo#506871)
- TreeColumns dangling pointer vulnerability
- * MFSA 2009-50/CVE-2009-3078 (bmo#453827)
- Location bar spoofing via tall line-height Unicode characters
- * MFSA 2009-51/CVE-2009-3079 (bmo#454363)
- Chrome privilege escalation with FeedWriter
-
--------------------------------------------------------------------
-Wed Aug 19 22:14:07 CEST 2009 - wr@rosenauer.org
-
-- renamed patch firefox-contextmenu-gnome to firefox-cross-desktop
- as it contains more tweaks to handle non-Gnome environments and
- especially KDE integration:
- * added the ability to set the KDE default browser
- (still part of bnc#170055)
-
--------------------------------------------------------------------
-Sat Aug 8 00:14:18 CEST 2009 - wr@rosenauer.org
-
-- split -translations package into -common and -other
- (bnc#529180)
-- remove "set as background" from context menu if not running in
- Gnome (part of bnc#170055)
-
--------------------------------------------------------------------
-Fri Jul 31 09:01:57 CEST 2009 - wr@rosenauer.org
-
-- security update to version 3.5.2
- * MFSA 2009-38/CVE-2009-2470 (bmo#459524)
- Data corruption with SOCKS5 reply containing DNS name longer
- than 15 characters
- * MFSA 2009-44/CVE-2009-2654 (bmo#451898)
- Location bar and SSL indicator spoofing via window.open() on
- invalid URL
- * MFSA 2009-45
- Crashes with evidence of memory corruption
- * MFSA 2009-46 (bmo#498897)
- Chrome privilege escalation due to incorrectly cached wrapper
- * various other stability fixes
-- export MOZ_APP_LAUNCHER in the startscript (bmo#453689)
-
--------------------------------------------------------------------
-Tue Jul 28 14:54:46 CEST 2009 - wr@rosenauer.org
-
-- fixed %exclude usage
-- fixed preferences' advanced pane for fresh profiles (bmo#506901)
-
--------------------------------------------------------------------
-Wed Jul 15 20:13:19 CEST 2009 - wr@rosenauer.org
-
-- security update to version 3.5.1
- * MFSA 2009-41
- Corrupt JIT state after deep return from native function
-
--------------------------------------------------------------------
-Mon Jul 6 12:33:47 CEST 2009 - wr@rosenauer.org
-
-- added mozilla-linkorder.patch to fix build with --as-needed
-
--------------------------------------------------------------------
-Tue Jun 30 08:52:00 CEST 2009 - wr@rosenauer.org
-
-- update to final version 3.5 (20090623)
-
--------------------------------------------------------------------
-Tue Jun 23 09:39:50 CEST 2009 - wr@rosenauer.org
-
-- fixed build by linking to a real file
-
--------------------------------------------------------------------
-Thu Jun 18 10:19:40 CEST 2009 - wr@rosenauer.org
-
-- update to version 3.5rc2 (20090617)
-- BuildRequire mozilla-xulrunner191 = 1.9.1.0
-
--------------------------------------------------------------------
-Sat Jun 6 15:59:02 CEST 2009 - wr@rosenauer.org
-
-- update to version 3.5b99 (20090604)
-- BuildRequire mozilla-xulrunner191 = 1.9.1b99
-
--------------------------------------------------------------------
-Wed May 27 08:03:16 CEST 2009 - wr@rosenauer.org
-
-- fixed typos in improved xulrunner dependencies
-
--------------------------------------------------------------------
-Mon May 11 18:25:12 CEST 2009 - wr@rosenauer.org
-
-- use non-localized Downloads folder (bnc#501724)
-
--------------------------------------------------------------------
-Mon May 4 07:57:50 CEST 2009 - wr@rosenauer.org
-
-- update to new major version 3.5b4
- * based on Gecko 1.9.1 (mozilla-xulrunner191)
- * Private Browsing Mode
- * TraceMonkey JavaScript engine
- * Geolocation support
- * native JSON and web worker threads support
- * speculative parsing for faster content rendering
- * Some HTML5 support
-- updated firefox.schemas
-- improved firefox-no-update.patch
-
--------------------------------------------------------------------
-Tue Apr 28 10:47:54 CEST 2009 - wr@rosenauer.org
-
-- security update to 3.0.10
- * MFSA 2009-23/CVE-2009-1313 (bmo#489647)
- Crash in nsTextFrame::ClearTextRun()
-
--------------------------------------------------------------------
-Thu Apr 16 13:52:21 CEST 2009 - wr@rosenauer.org
-
-- security update to 3.0.9 (bnc#495473)
- * MFSA 2009-14/CVE-2009-1302/CVE-2009-1303/CVE-2009-1304/CVE-2009-1305
- Crashes with evidence of memory corruption (rv:1.9.0.9)
- * MFSA 2009-15/CVE-2009-0652 (bmo#479336)
- URL spoofing with box drawing character
- * MFSA 2009-16/CVE-2009-1306 (bmo#474536)
- jar: scheme ignores the content-disposition: header on the
- inner URI
- * MFSA 2009-17/CVE-2009-1307 (bmo#481342)
- Same-origin violations when Adobe Flash loaded via
- view-source: scheme
- * MFSA 2009-18/CVE-2009-1308 (bmo#481558)
- XSS hazard using third-party stylesheets and XBL bindings
- * MFSA 2009-19/CVE-2009-1309 (bmo#482206,478433)
- Same-origin violations in XMLHttpRequest and
- XPCNativeWrapper.toString
- * MFSA 2009-20/CVE-2009-1310 (bmo#483086)
- Malicious search plugins can inject code into arbitrary sites
- * MFSA 2009-21/CVE-2009-1311 (bmo#471962)
- POST data sent to wrong site when saving web page with
- embedded frame
- * MFSA 2009-22/CVE-2009-1312 (bmo#475636)
- Firefox allows Refresh header to redirect to javascript: URIs
-
--------------------------------------------------------------------
-Fri Mar 27 09:43:43 CET 2009 - wr@rosenauer.org
-
-- security update to 1.9.0.8 (bnc#488955,489411)
- * MFSA 2009-12/CVE-2009-1169 (bmo#460090,485217)
- Crash and remote code execution in XSL transformation
- * MFSA 2009-13/CVE-2009-1044 (bmo#484320)
- Arbitrary code execution via XUL tree moveToEdgeShift
-- allow RPM provides for stuff besides shared libraries
- (e.g. mime-types)
-
--------------------------------------------------------------------
-Sun Mar 1 11:08:58 CET 2009 - wr@rosenauer.org
-
-- security update to 3.0.7 (bnc#478625)
- * MFSA 2009-07 - Crashes with evidence of memory corruption
- CVE-2009-0771 - Layout Engine Crashes
- CVE-2009-0772 - Layout Engine Crashes
- CVE-2009-0773 - crashes in the JavaScript engine
- CVE-2009-0774 - Layout Engine Crashes
- * MFSA 2009-08/CVE-2009-0775 - (bmo#474456)
- Mozilla Firefox XUL Linked Clones Double Free Vulnerability
- * MFSA 2009-09/CVE-2009-0776 (bmo#414540)
- XML data theft via RDFXMLDataSource and cross-domain redirect
- * MFSA 2009-10/CVE-2009-0040 (bmo#478901)
- Upgrade PNG library to fix memory safety hazards
- * MFSA 2009-11/CVE-2009-0777 (bmo#452979)
- URL spoofing with invisible control characters
-
--------------------------------------------------------------------
-Wed Feb 4 18:58:59 EST 2009 - hfiguiere@suse.de
-
-- Review and approve changes.
-
--------------------------------------------------------------------
-Wed Jan 28 13:48:00 CET 2009 - wr@rosenauer.org
-
-- security update to 3.0.6 (bnc#470074)
- * MFSA 2009-06/CVE-2009-0358: Directives to not cache pages ignored
- (bmo#441751)
- * MFSA 2009-05/CVE-2009-0357: XMLHttpRequest allows reading
- HTTPOnly cookies (bmo#380418)
- * MFSA 2009-04/CVE-2009-0356: Chrome privilege escalation via
- local .desktop files (bmo#460425)
- * MFSA 2009-03/CVE-2009-0355: Local file stealing with SessionStore
- (bmo#466937)
- * MFSA 2009-02/CVE-2009-0354: XSS using a chrome XBL method
- and window.eval (bmo#468581)
- * MFSA 2009-01/CVE-2009-0352 - CVE-2009-0353: Crashes with
- evidence of memory corruption (rv:1.9.0.6) (bmo#452913,
- bmo#449006, bmo#331088, bmo#401042, bmo#416461, bmo#422283,
- bmo#422301, bmo#431705, bmo#437142, bmo#421839, bmo#420697,
- bmo#461027)
- * (non security) added lv locale
-
--------------------------------------------------------------------
-Thu Jan 22 11:09:42 EST 2009 - hfiguiere@suse.de
-
-- Fix the wrapper script for PowerPC 64-bits (bnc#464753)
-
--------------------------------------------------------------------
-Wed Dec 17 13:13:25 EST 2008 - hfiguiere@suse.de
-
-- Review and approve changes.
-
--------------------------------------------------------------------
-Mon Dec 15 16:41:57 CET 2008 - wr@rosenauer.org
-
-- security update to 1.9.0.5 (bnc#455804)
- for details
- http://www.mozilla.org/security/known-vulnerabilities/firefox30.html
- * removed aboutRights workaround again
- * added et locale
-
--------------------------------------------------------------------
-Tue Nov 25 10:14:45 EST 2008 - hfiguiere@suse.de
-
-- Review and approve changes.
-
--------------------------------------------------------------------
-Sat Nov 22 13:26:03 CET 2008 - wr@rosenauer.org
-
-- replace license agreement with about:rights toolbar
- (backported from upcoming FF 3.0.5) (bnc#436054, bmo#456439)
- (it's always displayed in en-US)
-
--------------------------------------------------------------------
-Fri Nov 21 03:11:41 EST 2008 - hfiguiere@suse.de
-
-- Update firefox-lockdown-ui.patch
- * Print Setup is now properly locked down. bnc#431028
- * Bookmark editing it now properly locked down. bnc#439335
- * Bookmars are properly hidden.
- * History is properly locked down. bnc#439343
- * Make sure the search bar is not put back when resetting the
- toolbar. bnc#439358
-
--------------------------------------------------------------------
-Thu Nov 20 18:49:19 CST 2008 - maw@suse.de
-
-- Review and approve changes.
-
--------------------------------------------------------------------
-Thu Nov 13 08:22:13 CET 2008 - wr@rosenauer.org
-
-- lockdown cleanup
- * removed gecko-lockdown.patch from Firefox (it's in xulrunner)
- * stripped out some toolkit stuff from firefox-ui-lockdown
- * added extra default preferences for lockdown
-
--------------------------------------------------------------------
-Wed Nov 12 17:55:19 CST 2008 - maw@suse.de
-
-- Review and approve changes.
-
--------------------------------------------------------------------
-Tue Nov 11 09:15:59 CET 2008 - wr@rosenauer.org
-
-- update to security/maintenance release 3.0.4 (bnc#439841)
- * support additional locales (bg, cy, eo, oc)
-- removed obsolete configure option (enable-gconf)
-
--------------------------------------------------------------------
-Fri Nov 7 15:39:54 CST 2008 - maw@suse.de
-
-- Review and approve changes.
-
--------------------------------------------------------------------
-Tue Nov 4 23:27:03 CET 2008 - wr@rosenauer.org
-
-- moved gconf schema into branding packages (bnc#441646)
-
--------------------------------------------------------------------
-Tue Oct 28 16:16:14 EDT 2008 - hfiguiere@suse.de
-
-- Fix missing %endif (for fix for bnc#434283)
-
--------------------------------------------------------------------
-Mon Oct 27 17:05:02 EDT 2008 - hfiguiere@suse.de
-
-- Add disable_show_passwords to firefox.schemas. (FATE #301534)
-
--------------------------------------------------------------------
-Mon Oct 27 11:57:29 CET 2008 - wr@rosenauer.org
-
-- make biarch dependencies work correctly (bnc#434283)
-
--------------------------------------------------------------------
-Thu Oct 23 10:14:22 EDT 2008 - hfiguiere@suse.de
-
-- Added firefox-ui-lockdown.patch and gecko-lockdown.patch
- * Lockdown: FATE#302023, FATE#302024
-
--------------------------------------------------------------------
-Mon Oct 6 14:55:48 CEST 2008 - sbrabec@suse.cz
-
-- Conflict with other branding providers (FATE#304881).
-
--------------------------------------------------------------------
-Mon Sep 29 12:27:43 CDT 2008 - maw@suse.de
-
-- Review and approve changes.
-
--------------------------------------------------------------------
-Mon Sep 29 11:36:30 CDT 2008 - maw@suse.de
-
-- Remove a reference to a stale patch.
-
--------------------------------------------------------------------
-Sun Sep 28 18:19:26 CEST 2008 - wr@rosenauer.org
-
-- update to regression fix release 3.0.3
- * Fixed a problem where users were unable to retrieve saved
- passwords or save new passwords (bmo#454708, bnc#429179#c20,
- CVE-2008-4063, CVE-2008-4064, CVE-2008-3836, andCVE-2008-4070)
-
--------------------------------------------------------------------
-Thu Sep 25 14:47:13 CDT 2008 - maw@suse.de
-
-- Review and approve changes.
-
--------------------------------------------------------------------
-Mon Sep 15 13:45:16 CEST 2008 - wr@rosenauer.org
-
-- update to security/maintenance release 3.0.2 (bnc#429179)
-- removed unused files from sources
-- fix more rpmlint complaints and provide a config file to filter
- false positives
-- disable Gnome crashreporter as it has no value
-- brought man-page up to date for the firefox stub
- (removing firefox-bin reference)
-- en-US locale not longer packaged in translations subpackage
-
--------------------------------------------------------------------
-Fri Aug 15 18:56:26 CDT 2008 - maw@novell.com
-
-- Review and approve changes.
-
--------------------------------------------------------------------
-Mon Aug 4 09:26:05 CEST 2008 - wr@rosenauer.org
-
-- Tweak branding split
-
--------------------------------------------------------------------
-Tue Jul 29 15:02:47 CEST 2008 - vuntz@novell.com
-
-- Create branding package (bnc#390752):
- + search-addons.tar.bz2, bookmarks.html.suse and
- firefox-suse-default-prefs.js will be moved to
- MozillaFirefox-branding-openSUSE
- + create a MozillaFirefox-branding-upstream package
-
--------------------------------------------------------------------
-Mon Jul 28 20:54:22 CEST 2008 - mauro@suse.de
-
-- Update to stability/security release 3.0.1 (bnc#407573)
- (thanks, Wolfgang)
- + MFSA 2008-36 Crash with malformed GIF file on Mac OS X
- + MFSA 2008-35 Command-line URLs launch multiple tabs when
- Firefox not running
- + MFSA 2008-34 Remote code execution by overflowing CSS reference counter
-- Set browser.shell.checkDefaultBrowser to true (bnc#404119)
-
--------------------------------------------------------------------
-Tue Jun 17 18:49:33 CEST 2008 - maw@suse.de
-
-- Merge changes from the build service (thanks, Wolfgang)
- (bnc#400001 and SWAMP#18164).
-
--------------------------------------------------------------------
-Tue Jun 17 14:40:04 CEST 2008 - wr@rosenauer.org
-
-- update to version 3.0
-- fixed double entry in bookmarks for www.opensuse.org (bnc#396980
-
--------------------------------------------------------------------
-Thu May 15 13:45:51 CEST 2008 - aj@suse.de
-
-- Add Planet SUSE, forums.o.o and How to participate to default
- URLs.
-
--------------------------------------------------------------------
-Fri May 2 16:25:24 CEST 2008 - maw@suse.de
-
-- network.protocol-handler.app.* prefs are no longer supported;
- remove references to them from firefox-suse-default-prefs.js
- (bnc#383697).
-
--------------------------------------------------------------------
-Thu Apr 3 01:42:34 CEST 2008 - maw@suse.de
-
-- Update to Firefox 3.0b5 (2.9.95) (thanks, Wolfgang).
-
--------------------------------------------------------------------
-Wed Mar 26 01:05:18 CET 2008 - maw@suse.de
-
-- Merge changes from the build service (thanks, Wolfgang)
-- Update to the fourth Firefox 3.0 Beta (2.9.94):
- + Based upon the Gecko 1.9 Web rendering platform, which improves
- performance, stability, and rendering correctness; it also
- boasts a considerable simplification in its code
- + Security improvements:
- * One-click site info
- * Malware Protection
- * New Web Forgery Protection page
- * New SSL error pages
- * Add-ons and Plugin version check
- * Secure add-on updates
- * Effective top-level domain (eTLD) service to better restrict
- cookies and other restricted content to a single domain
- * Better protection against cross-site JSON data leaks
- + Usability improvements:
- * Easier password management
- * Simplified add-on installation
- * New Download Manager
- * Resumable downloading
- * Full page zoom
- * Podcasts and Videocasts can be associated with your media
- playback tools
- * Tab scrolling and quickmenu
- * Save what you were doing: Firefox will prompt users to save
- tabs on exit
- * Optimized Open in Tabs behavior
- * Location and Search bar size can now be customized with a
- simple resizer item
- * Text selection improvements
- * Find toolbar
- * Improved integration with Linux: Firefox's default icons,
- buttons, and menu styles now use the native GTK theme
- + Personalization improvements:
- * Star button: quickly add bookmarks from the location bar
- with a single click; a second click lets you file and tag them
- * Tags: associate keywords with your bookmarks to sort them
- by topic
- * Location bar & auto-complete
- * Smart Bookmarks Folder
- * Places Organizer: view, organize and search through all
- of your bookmarks, tags, and browsing history with multiple
- views and smart folders to store your frequent searches
- * Web-based protocol handlers
- * Download & Install Add-ons
- * Easy to use Download Actions
- + Improved platform for web developers:
- * New graphics and font handling: new graphics and text
- rendering architectures in Gecko 1.9 provides rendering
- improvements in CSS, SVG as well as improved display of
- fonts with ligatures and complex scripts
- * Color management: (set gfx.color_management.enabled on
- in about:config and restart the browser to enable.);
- Firefox can now adjust images with embedded color profiles
- * Offline support: enables web applications to provide
- offline functionality (website authors must add support
- for offline browsing to their site for this feature
- to be available to users)
- + Improved performance:
- * Speed: improvements to the JavaScript engine as well as
- profile guided optimizations have resulted in significant
- improvements in performance; compared to Firefox 2,
- web applications like Google Mail and Zoho Office run
- twice as fast in Firefox 3 Beta 4, and the popular
- SunSpider test from Apple shows improvements over
- previous releases
- * Memory usage: Several new technologies work together to
- reduce the amount of memory used by Firefox 3 Beta 4
- over a web browsing session; memory cycles are broken
- and collected by an automated cycle collector, a new
- memory allocator reduces fragmentation, hundreds of leaks
- have been fixed, and caching strategies have been tuned
- * Reliability: A user's bookmarks, history, cookies, and
- preferences are now stored in a transactionally secure
- database format which will prevent data loss even if their
- system crashes
-- This version depends upon the mozilla-xulrunner190 package
-- Drop various stale packages, respin several that have been
- kept around, and add a few new ones.
-
--------------------------------------------------------------------
-Mon Feb 11 18:18:14 CET 2008 - maw@suse.de
-
-- Security update to version 2.0.0.12 (bnc#354469):
- + MFSA 2008-11/CVE-2008-0594 Web forgery overwrite with div
- overlay
- + MFSA 2008-10/CVE-2008-0593 URL token stealing via stylesheet
- redirect
- + MFSA 2008-09/CVE-2008-0592 Mishandling of locally-saved plain
- text files
- + MFSA 2008-08/CVE-2008-0591 File action dialog tampering
- + MFSA 2008-06/CVE-2008-0419 Web browsing history and forward
- navigation stealing
- + MFSA 2008-05/CVE-2008-0418 Directory traversal via chrome: URI
- + MFSA 2008-04/CVE-2008-0417 Stored password corruption
- + MFSA 2008-03/CVE-2008-0415 Privilege escalation, XSS, Remote
- Code Execution
- + MFSA 2008-02/CVE-2008-0414 Multiple file input focus stealing
- vulnerabilities
- + MFSA 2008-01/CVE-2008-0412 Crashes with evidence of memory
- corruption (rv:1.8.1.12)
-- Reference libaoss.so in start script (bnc#117079)
-- Remove mozilla-canvas-1.8.1.10.patch, as it has been upstreamed
-- Update firefox-ui-lockdown.patch (FATE#301534, FATE#302023, and
- FATE#302024)
-- Add application/x-xpinstall mime type to MozillaFirefox.desktop
-- Add MozillaFirefox.xml to bind .xpi to application/x-xpinstall
- in desktop.
-
--------------------------------------------------------------------
-Thu Jan 17 17:52:47 CET 2008 - maw@suse.de
-
-- Add mozilla-maxpathlen.patch (#354150 and bmo #412610).
-
--------------------------------------------------------------------
-Fri Dec 21 18:46:50 CET 2007 - maw@suse.de
-
-- Add firefox-348446-empty-lists.patch (bnc#348446).
-
--------------------------------------------------------------------
-Wed Dec 5 02:21:26 CET 2007 - maw@suse.de
-
-- Respin proxy-dev.patch (bnc#340678) -- thanks, Anders!
-
--------------------------------------------------------------------
-Tue Nov 27 18:25:25 CET 2007 - maw@suse.de
-
-- Security update to version 2.0.0.10 (#341905, #341591):
- + MFSA 2007-39 Referer-spoofing via window.location race condition
- + MFSA 2007-38 Memory corruption vulnerabilities (rv:1.8.1.10)
- + MFSA 2007-37 jar: URI scheme XSS hazard
- + Fixes for regressions introduced in 2.0.0.8
- + Updated dbus.patch, startup.patch, misc.dif, and configure.patch
-- Add mozilla-gcc4.3-fixes.patch
-- Add mozilla-canvas-1.8.1.10.patch (#341591#c10).
-
--------------------------------------------------------------------
-Mon Nov 26 18:27:25 CET 2007 - maw@suse.de
-
-- Build with -ftree-vrp -fwrapv, per advice in #342603#c17.
-
--------------------------------------------------------------------
-Tue Nov 13 17:49:01 CET 2007 - maw@suse.de
-
-- Add firefox-gcc4.3-fixes.patch.
-
--------------------------------------------------------------------
-Fri Oct 19 02:04:45 CEST 2007 - maw@suse.de
-
-- Security update to version 2.0.0.8 (#332512) (thanks, Wolfgang)
- * MFSA 2007-29 Crashes with evidence of memory corruption
- * MFSA 2007-30 onUnload Tailgating
- * MFSA 2007-31 Digest authentication request splitting
- * MFSA 2007-32 File input focus stealing vulnerability
- * MFSA 2007-33 XUL pages can hide the window titlebar
- * MFSA 2007-34 Possible file stealing through sftp protocol
- * MFSA 2007-35 XPCNativeWraper pollution using Script object
- complete advisories on
- http://www.mozilla.org/projects/security/known-vulnerabilities.html
-
--------------------------------------------------------------------
-Sun Sep 23 19:49:12 CEST 2007 - maw@suse.de
-
-- Don't explicitly require libaoss.so (#326751).
-
--------------------------------------------------------------------
-Fri Sep 14 23:13:06 CEST 2007 - maw@suse.de
-
-- Update the Novell Support search plugin in search-addons.tar.bz2
- (#297261)
-- Set the browser.tabs.loadFolderAndReplace preference to false
- by default (#230759).
-
--------------------------------------------------------------------
-Wed Sep 12 15:21:06 CEST 2007 - dmueller@suse.de
-
-- fix hardlinks accross partitions
-
--------------------------------------------------------------------
-Thu Sep 6 16:07:12 CEST 2007 - maw@suse.de
-
-- Add http://software.opensuse.org/search?baseproject=openSUSE:10.3
- to the default bookmarks (#308223).
-
--------------------------------------------------------------------
-Mon Sep 3 22:33:09 CEST 2007 - ro@suse.de
-
-- move last change a bit further in specfile
-
--------------------------------------------------------------------
-Fri Aug 31 18:36:16 CEST 2007 - maw@suse.de
-
-- Mark a .png file as nonexecutable.
-
--------------------------------------------------------------------
-Tue Aug 28 16:44:08 CEST 2007 - maw@suse.de
-
-- Minor .spec update (#305193)
- + Remove two obsolete patches
- + Correct releasedate
- + Include only the officially supported locales.
-
--------------------------------------------------------------------
-Wed Aug 22 17:53:03 CEST 2007 - maw@suse.de
-
-- Merge changes from the build service (thanks, Wolfgang):
- + Provide locale dependency information (#302288)
- + Add x11-session.patch, supporting X11 session management
- (#227047)
- + Update to version 2.0.0.6
- * MFSA 2007-26 Privilege escalation through chrome-loaded
- about:blank windows
- * MFSA 2007-27 Unescaped URIs passed to external programs
- (only relevant on Windows)
-- Use %fdupes.
-
--------------------------------------------------------------------
-Tue Aug 21 09:45:35 CEST 2007 - aj@suse.de
-
-- Adjust bookmarks: Add news.opensuse.org, use new software.o.o
- page.
-
--------------------------------------------------------------------
-Thu Aug 16 14:57:27 CEST 2007 - mauro@suse.de
-
-- Revert previous change.
-
--------------------------------------------------------------------
-Tue Aug 14 11:58:23 CEST 2007 - mauro@suse.de
-
-- Added support for ymp in the mimetypes.rdf
-- Added OneClickInstallUrlHandler for handing the actual call from firefox.
-- Fixes bnc #295677
-
--------------------------------------------------------------------
-Mon Jul 23 18:57:07 CEST 2007 - maw@suse.de
-
-- Security update to version 2.0.0.5 (#288115) which has fixes for:
-MFSA 2007-18
- CVE-2007-3734 - Browser flaws
- CVE-2007-3735 - Javascript flaws
-
-MFSA 2007-19
- CVE-2007-3736
-
-MFSA 2007-20
- CVE-2007-3089
-
-MFSA 2007-21
- CVE-2007-3737
-
-MFSA 2007-22
- CVE-2007-3285
-
-MFSA 2007-23
- CVE-2007-3670
-
-MFSA 2007-24
- CVE-2007-3656
-
-MFSA 2007-25
- CVE-2007-3738
-
--------------------------------------------------------------------
-Thu Jun 21 15:59:01 CEST 2007 - adrian@suse.de
-
-- fix changelog entry order
-
--------------------------------------------------------------------
-Mon Jun 18 13:22:42 CDT 2007 - maw@suse.de
-
-- Use mozilla.sh.in from the build service (#230681).
-
--------------------------------------------------------------------
-Tue Jun 5 15:55:08 CEST 2007 - sbrabec@suse.cz
-
-- Removed invalid desktop category "Application" (#254654).
-
--------------------------------------------------------------------
-Mon Jun 4 19:53:35 CDT 2007 - maw@suse.de
-
-- Security update to version 2.0.0.4
-- Refresh configure.patch, startup.patch, and visibility.patch
-- Now use l10n-%{version}.tar.bz2 instead of l10n.tar.bz2.
-
--------------------------------------------------------------------
-Mon Apr 30 16:49:55 CEST 2007 - ro@suse.de
-
-- added unzip to BuildRequires
-
--------------------------------------------------------------------
-Wed Apr 18 14:16:44 CEST 2007 - mfabian@suse.de
-
-- add Japanese to the languages which get PANGO enabled in the
- start script to support the Japanese combining characters
- U+3099 U+309A (see bugzilla #262718 comment #29).
-
--------------------------------------------------------------------
-Mon Mar 12 11:06:10 CST 2007 - maw@suse.de
-
-- Package gconf stuff.
-
--------------------------------------------------------------------
-Wed Feb 21 16:37:25 CST 2007 - maw@suse.de
-
-- Security update to 2.0.0.2 (#244923), which covers:
- + mfsa2007-01
- * CVE-2007-0775 - layout engine crashes
- * CVE-2007-0776 - SVG
- * CVE-2007-0777 - javascript engine corruption
- + mfsa2007-02
- * CVE-2007-0995 - Invalid trailing characters in HTML tag attributes
- * CVE-2007-0996 - Child frame character set inheritance
- * CVE-2006-6077 - Injected password forms
- + mfsa2007-02
- + mfsa2007-03
- * CVE-2007-0078
- + mfsa2007-04
- * CVE-2007-0079
- + mfsa2007-05
- * CVE-2007-0780
- * CVE-2007-0800
- + mfsa2007-06
- * CVE-2007-0008 - client flaw
- * CVE-2007-0009 - server flaw
- + mfsa2007-07
- * CVE-2007-0981
-- Updates mozilla.sh.in (#230681)
-- Fixes #232209
-- Updates the man page (#243037)
-- Properly propagates exit codes (#241492)
-- Adds em-356370.patch (#217374)
-
--------------------------------------------------------------------
-Thu Jan 25 10:16:56 CST 2007 - maw@suse.de
-
-- Fixup the Gnome paths, keeping in closer sync with the
- buildservice.
-
--------------------------------------------------------------------
-Thu Jan 18 09:27:54 CST 2007 - maw@suse.de
-
-- Gnome is now in /usr, so remove references to /opt/gnome
-- Install firefox.png with the executable bit not set.
-
--------------------------------------------------------------------
-Wed Jan 10 12:57:39 CET 2007 - meissner@suse.de
-
-- readd MozillaFirebird provides (was incorrect in removing it).
-
--------------------------------------------------------------------
-Mon Jan 8 11:16:08 CET 2007 - meissner@suse.de
-
-- Do not provide MozillaFirebird, just obsolete it.
-
--------------------------------------------------------------------
-Fri Dec 1 02:22:49 CET 2006 - maw@suse.de
-
-- Update gecko-lockdown.patch (#220616).
-
--------------------------------------------------------------------
-Thu Nov 30 19:02:54 CET 2006 - maw@suse.de
-
-- Update firefox-suse-default-prefs.js, adding
- 'pref("browser.backspace_action", 2);' (#217374)
-
--------------------------------------------------------------------
-Thu Nov 30 08:17:28 CET 2006 - aj@suse.de
-
-- Fix last change (#224431).
-
--------------------------------------------------------------------
-Wed Nov 29 11:45:47 CET 2006 - aj@suse.de
-
-- Change download bookmark (#224431).
-- Rename bookmark folder to openSUSE.
-
--------------------------------------------------------------------
-Tue Nov 28 08:09:48 CET 2006 - aj@suse.de
-
-- Sync from Buildservice with following critical fixes (thanks
- Wolfgang Rosenauer!):
- * fixed system-proxies.patch to actually work (#223881).
- * Rearrange Bookmarks to pass trademark review.
-
--------------------------------------------------------------------
-Mon Nov 27 19:40:44 CET 2006 - aj@suse.de
-
-- Fix tango theme (#223796).
-
--------------------------------------------------------------------
-Mon Nov 27 17:40:50 CET 2006 - aj@suse.de
-
-- Use www.opensuse.org as home page.
-
--------------------------------------------------------------------
-Sun Nov 12 11:28:00 CET 2006 - aj@suse.de
-
-- Set novell.com as home page.
-- Update from BuildService (thanks Wolfgang!):
- - fixed crash in htmlparser (#217257, bmo #358797)
- - added gconf2 as PreReq (#212505)
- - added 32bit libaoss.so as requirement (#216266)
- - Removed SUSE searchplugin (Portal not available anymore)
- (#216054)
- - Removed obsolete xul-picker.patch and system-nspr.patch
- - Fixed building on 10.1 and 10.0 (dbus)
- - Removed obsolete throbber preference
-
--------------------------------------------------------------------
-Thu Nov 9 19:09:46 CET 2006 - jhargadon@suse.de
-
-- updated tango theme
-
--------------------------------------------------------------------
-Sun Oct 29 12:05:46 CET 2006 - aj@suse.de
-
-- Another fix for 214125, patch by Wolfgang Rosenauer.
-
--------------------------------------------------------------------
-Thu Oct 26 06:58:59 CEST 2006 - aj@suse.de
-
-- Fix gcc warnings about undefined operations, patch by
- Robert O'Callahan.
-- Update system-proxies.patch to fix error box (214125), patch by
- Robert O'Callahan.
-
--------------------------------------------------------------------
-Mon Oct 23 21:54:54 CEST 2006 - aj@suse.de
-
-- Update to current CVS version of 2.0.
-- Use www.opensuse.org as default home page for now (#203547).
-
--------------------------------------------------------------------
-Sat Oct 21 08:53:50 CEST 2006 - aj@suse.de
-
-- Disable non-working plasticfox and tango themes.
-
--------------------------------------------------------------------
-Fri Oct 20 20:16:29 CEST 2006 - aj@suse.de
-
-- Fix building of locales.
-
--------------------------------------------------------------------
-Fri Oct 20 11:27:23 CEST 2006 - mkoenig@suse.de
-
-- update to version 2.0rc3:
- * New features: Visual Refresh, Built-in phishing protection,
- Enhanced search capabilities, Improved tabbed browsing,
- Resuming your browsing session, Previewing and subscribing
- to Web feeds, Inline spell checking, Live Titles,
- Improved Add-ons manager, JavaScript 1.7, Extended search
- plugin format, Updates to the extension system,
- Client-side session and persistent storage, SVG text
-
--------------------------------------------------------------------
-Tue Oct 17 11:26:44 CEST 2006 - meissner@suse.de
-
-- disabled debugging.
-
--------------------------------------------------------------------
-Tue Sep 12 20:27:02 CEST 2006 - stark@suse.de
-
-- security update to version 1.5.0.7
-
--------------------------------------------------------------------
-Mon Aug 21 12:53:50 CEST 2006 - stark@suse.de
-
-- added greasemonkey helper change (#199920)
-- fixed packager.mk for new make version
-
--------------------------------------------------------------------
-Fri Aug 11 20:51:48 CEST 2006 - stark@suse.de
-
-- fixed crash in dbus component (patch by thoenig #197928)
-- use external adresses for PAC configuration (#196506)
-
--------------------------------------------------------------------
-Mon Aug 7 09:26:58 CEST 2006 - stark@suse.de
-
-- added symlink for Firefox 1.0.x compatibility
-
--------------------------------------------------------------------
-Sat Jul 29 08:48:53 CEST 2006 - stark@suse.de
-
-- update to regression release 1.5.0.6 (#195043)
-
--------------------------------------------------------------------
-Thu Jul 27 06:20:36 CEST 2006 - stark@suse.de
-
-- security update to version 1.5.0.5 (#195043)
- * observer-lock.patch integrated now
-- fixed leak in JS' liveconnect (#186066)
-- fixed desktop file for old distributions
- (StartupNotify=false)
-
--------------------------------------------------------------------
-Thu Jun 29 20:13:28 CEST 2006 - stark@suse.de
-
-- fixed printing crash if the last used printer is not available
- anymore (#187013)
-
--------------------------------------------------------------------
-Fri Jun 16 22:11:22 CEST 2006 - stark@suse.de
-
-- added 48x48 icon (#185777)
-
--------------------------------------------------------------------
-Mon Jun 12 20:20:02 CEST 2006 - stark@suse.de
-
-- fix overwrite confirmation for GTK filesaver (#179531)
-- get network.negotiate-auth.trusted-uris and
- network.negotiate-auth.delegation-uris from gconf if
- system-settings are enabled (#184489)
-
--------------------------------------------------------------------
-Thu Jun 1 20:34:43 CEST 2006 - stark@suse.de
-
-- update to security/stability release 1.5.0.4 (#179011)
-- moved locale-global prefs to browserconfig.properties (#177881)
-
--------------------------------------------------------------------
-Tue May 23 21:11:11 CEST 2006 - stark@suse.de
-
-- complete implementation of startup-notification (#115417)
- (including autoconf and remote support)
-- different home-pages for SLE10 and SL (#177881)
-
--------------------------------------------------------------------
-Tue May 16 06:27:26 CEST 2006 - stark@suse.de
-
-- fixed potential deadlock in nsObserverList::RemoveObserver
- (#173986, bmo #338069)
-- base startup notification on libstartup-notification (#115417)
-
--------------------------------------------------------------------
-Thu May 11 09:39:27 CEST 2006 - stark@suse.de
-
-- save printer settings properly (#174082, bmo #324072)
-- added startup notification support for showing load activity
- in Gnome and to avoid focus stealing prevention (#115417)
-- added StartupNotify=true to desktop file (#115417)
-- provide legacy symlink for NLD9 update compatibility (#173138)
-- fixed system-proxies patch to avoid unwanted wpad requests
- (#171743, #167613)
-
--------------------------------------------------------------------
-Mon May 8 14:55:52 CEST 2006 - stark@suse.de
-
-- preconfigure the theme according to the used desktop (#151163)
-
--------------------------------------------------------------------
-Thu Apr 27 10:24:07 CEST 2006 - stark@suse.de
-
-- last minute change for 1.5.0.3
-
--------------------------------------------------------------------
-Wed Apr 26 14:23:33 CEST 2006 - stark@suse.de
-
-- security update to 1.5.0.3
-- fix for typo in postscript.patch
-
--------------------------------------------------------------------
-Tue Apr 25 14:14:51 CEST 2006 - stark@suse.de
-
-- fixed iframe crash (#169039, bmo #334515)
-- fixed img tag misuse (#168710, bmo #334341)
-
--------------------------------------------------------------------
-Mon Apr 24 08:04:16 CEST 2006 - stark@suse.de
-
-- improved postscript output (bmo #334485)
-- changed defaults for printer properties (#6534)
-- overwrite gnome-vfs' file protocol by providing "desktop-launch"
- (#131501)
-- get available paper sizes from CUPS (#65482)
-- replaced/removed complicated gconfd reload in %post (#167989)
-- fixed memory leak in clipboard caching (bmo #289897)
-
--------------------------------------------------------------------
-Tue Apr 11 08:35:53 CEST 2006 - stark@suse.de
-
-- added (optional) plastikfox theme (#151163)
-- get some more security related patches (#148876)
-- finally fixed the default proxy configuration by adding a new
- UI option (#132398)
-
--------------------------------------------------------------------
-Mon Apr 3 11:41:13 CEST 2006 - stark@suse.de
-
-- fixed keyword fixup patch (#162532)
-
--------------------------------------------------------------------
-Tue Mar 28 07:17:04 CEST 2006 - stark@suse.de
-
-- don't use keyword fixup for pasted text (#160034, bmo #331522)
-
--------------------------------------------------------------------
-Mon Mar 20 09:28:58 CET 2006 - stark@suse.de
-
-- added Tango theme
-- fixed reading proxies from gconf (#132398)
-
--------------------------------------------------------------------
-Sun Mar 12 09:04:05 CET 2006 - stark@suse.de
-
-- tweaked bookmarks (fixed URLs)
-- added Khmer (km-*) to pango locales (#157397)
-
--------------------------------------------------------------------
-Sat Mar 4 21:08:45 CET 2006 - stark@suse.de
-
-- fixed crash with multipart JPEGs (bmo #328684) (#140416)
-- got latest security fixes from upstream (#148876)
-
--------------------------------------------------------------------
-Wed Feb 22 13:24:58 CET 2006 - stark@suse.de
-
-- fixed plugin loading when launched from Thunderbird (#151614)
-- merged dbus reconnection patch (#150042)
-- default to autodetect proxy (network.proxy.type=4) (#151811)
-- added GTK category to desktop file
-
--------------------------------------------------------------------
-Tue Feb 14 06:45:24 CET 2006 - stark@suse.de
-
-- modified lockdown patches (#67281, #67282)
-- applied set of security patches (#148876)
- bmo bugs: 282105, 307989, 315625, 320459, 323634, 325403, 325947
-
--------------------------------------------------------------------
-Tue Feb 7 20:09:43 CET 2006 - stark@suse.de
-
-- fixed disabling of Pango (#148788)
-
--------------------------------------------------------------------
-Thu Feb 2 21:51:30 CET 2006 - stark@suse.de
-
-- define gssapi lib explicitely (#147670)
-- use only official Firefox-Icon
-- changed home-download patch
-
--------------------------------------------------------------------
-Sun Jan 29 09:54:49 CET 2006 - stark@suse.de
-
-- throbber URL is default again
-- removed firefox-showpass patch
-- removed additional CA certs from builtin NSS
-
--------------------------------------------------------------------
-Fri Jan 27 17:55:21 CET 2006 - stark@suse.de
-
-- got some l10n changes from 1.8.0 branch
-
--------------------------------------------------------------------
-Fri Jan 27 08:15:09 CET 2006 - stark@suse.de
-
-- final 1.5.0.1 version
-- make it possible to choose $HOME as download directory
- (#144894, bmo #300856)
-
--------------------------------------------------------------------
-Wed Jan 25 21:33:43 CET 2006 - mls@suse.de
-
-- converted neededforbuild to BuildRequires
-
--------------------------------------------------------------------
-Sun Jan 22 17:06:57 CET 2006 - stark@suse.de
-
-- disable Pango if MOZ_ENABLE_PANGO is not set
- and no typical language which needs Pango is used (#143428)
-
--------------------------------------------------------------------
-Wed Jan 18 10:27:30 CET 2006 - stark@suse.de
-
-- fixed DumpStackToFile() for glibc 2.4
-- added default (font) settings
-
--------------------------------------------------------------------
-Thu Jan 12 10:23:58 CET 2006 - stark@suse.de
-
-- update to 1.5.0.1pre (20060111)
-- updated man-page
-- fixed hovered tab close button
-- only Requires mozilla-nspr instead of PreReq since
- there is no postinstall registration necessary anymore
-- use system NSS from CODE10 on
-- use -fstack-protector where available
-- changed unixproxy component to work on older distributions
-
--------------------------------------------------------------------
-Mon Jan 2 13:39:09 CET 2006 - stark@suse.de
-
-- added unixproxy component written by Robert O'Callahan (#132398)
- (bmo #66057)
-- added official translations
-- preload libaoss for plugin sound (#117079)
-
--------------------------------------------------------------------
-Wed Dec 28 08:16:03 CET 2005 - stark@suse.de
-
-- get some patches from 1.8.0 branch
-- readded modification to gconf-backend (bmo #321315)
-- readded lockdown stuff
-- enable additional extension install directory (#120329)
- (/usr/lib/browser-extensions/firefox)
-- added patch to make the XUL filechooser optional
- (MOZ_XUL_PICKER)
-
--------------------------------------------------------------------
-Wed Dec 14 16:08:12 CET 2005 - stark@suse.de
-
-- fixed patch for parsing -remote parameter
-- removed default-plugin patch (not needed anymore)
-
--------------------------------------------------------------------
-Fri Dec 9 17:21:29 CET 2005 - stark@suse.de
-
-- fix to ignore X composite extension (#135373)
-- fixed parsing of -remote parameters (#134396)
-- activated locales as released
-
--------------------------------------------------------------------
-Tue Nov 29 21:33:13 CET 2005 - stark@suse.de
-
-- update to 1.5 (20051128)
-- don't override startup URL when changing Gecko versions (#135314)
-- added patch for GTK2 handling (#134831)
-- readded add-plugins stuff for compatibility
-
--------------------------------------------------------------------
-Fri Nov 18 07:41:41 CET 2005 - stark@suse.de
-
-- update to 1.5rc3 (20051117)
-
--------------------------------------------------------------------
-Mon Oct 31 08:58:14 CET 2005 - stark@suse.de
-
-- updated l10n archive (20051030)
-- fixed postinstall script to copy plugin links instead of files
-
--------------------------------------------------------------------
-Fri Oct 28 06:43:27 CEST 2005 - stark@suse.de
-
-- update to 1.5rc1 (20051027)
-- fixed profile locking on FAT partitions (bmo #313360)
-- introduced an rpath again
-
--------------------------------------------------------------------
-Wed Oct 19 20:03:48 CEST 2005 - stark@suse.de
-
-- update to snapshot 1.5 (20051019)
-- moved installation to /usr/%{_lib}/firefox
-- added dbus component to be able to get network status from
- NetworkManager (bmo #312793)
-- remove all update UI for application
-- removed diable-gconf (no registration at build time anymore)
-- removed rebuild-databases.sh (no system registration anymore)
-- open links in new windows (#128087)
-
--------------------------------------------------------------------
-Thu Oct 6 20:44:53 CEST 2005 - stark@suse.de
-
-- update to Firefox 1.5b2 (20051005)
-- added supported translations
-
--------------------------------------------------------------------
-Sat Oct 1 15:09:18 CEST 2005 - stark@suse.de
-
-- update to Firefox 1.5b1 (20050930) RPM version 1.4.1
-- removed rebuild-databases.sh calls
-- removed add-plugins.sh calls and corresponding triggers
-- enabled SVG and Canvas support
-- fixed gconf urlhandler registration
-
--------------------------------------------------------------------
-Tue Sep 20 10:24:16 CEST 2005 - stark@suse.de
-
-- security update to 1.0.7 (#117619)
- * MFSA 2005-57: IDN heap overrun using soft-hyphens (bmo #307259)
- (enabled IDN pref again)
- * MFSA 2005-58:
- CAN-2005-2701 Heap overrun in XBM image processing
- CAN-2005-2702 Crash on "zero-width non-joiner" sequence
- CAN-2005-2703 XMLHttpRequest header spoofing
- CAN-2005-2704 Object spoofing using XBL <implements>
- CAN-2005-2705 JavaScript integer overflow
- CAN-2005-2706 Privilege escalation using about: scheme
- CAN-2005-2707 Chrome window spoofing
- Regression fixes
-- register beagle extension if it gets installed (#116787)
-
--------------------------------------------------------------------
-Tue Sep 13 15:41:37 CEST 2005 - aj@suse.de
-
-- Change SUSE bookmarks.
-
--------------------------------------------------------------------
-Sun Sep 11 17:05:07 CEST 2005 - stark@suse.de
-
-- disable IDN per default (#116070)
-- unlocalize bookmarks (#114279)
-
--------------------------------------------------------------------
-Thu Sep 8 08:52:13 CEST 2005 - stark@suse.de
-
-- fixed some filemodes (#114849)
-
--------------------------------------------------------------------
-Sun Sep 4 00:03:53 CEST 2005 - stark@suse.de
-
-- fixed gconf-backend patch to be able to use
- system prefs (#114054)
-
--------------------------------------------------------------------
-Thu Sep 1 13:22:17 CEST 2005 - stark@suse.de
-
-- changed default font to sans-serif (#114464)
-- removed de-de parts of the bookmark-links (#114279)
-
--------------------------------------------------------------------
-Mon Aug 22 06:10:12 CEST 2005 - stark@suse.de
-
-- install gconf schema for lockdown also on non-NLD
-- added backports (firefox-backports.patch)
- * gtk_im_context_set_cursor_location() is not used (bmo #281339)
- * fixed crash in imgCacheValidator::OnStartRequest()
- (bmo #293307)
-- workaround for linking with pangoxft and pangox
- (broken by gtk 2.8 update) (#105764)
-- remove extensions on deinstallation
-- include dragonegg (kparts) plugin (#105468)
-
--------------------------------------------------------------------
-Thu Aug 18 13:08:55 CEST 2005 - stark@suse.de
-
-- fixed regression in profile locking change (bmo #303633)
-- added rtsp handler to global config (#104434)
-- don't blacklist help: protocol (bmo #304833)
-- fixed Gdk-WARNING at startup (gtk.patch)
-- fixed crash with gtk 2.7 (bmo #300226, bnc #104586)
-- fixed installation of the beagle plugin
-- update industrial theme to 1.0.11 (#104564)
-- included lockdownV2 (removed obsolete gconf.diff)
-- linked firefox-bin with rpath to progdir
-
--------------------------------------------------------------------
-Fri Aug 5 09:51:26 CEST 2005 - stark@suse.de
-
-- fixed profile locking (bmo #151188)
-- install beagle extension globally
-
--------------------------------------------------------------------
-Fri Jul 29 06:58:24 CEST 2005 - stark@suse.de
-
-- don't require and provide NSS libs (#98002)
-- fixed printing error 'You cannot print while in print preview'
- (#96991, bmo #302445)
-
--------------------------------------------------------------------
-Wed Jul 27 09:34:12 CEST 2005 - stark@suse.de
-
-- fixed Firefox on ppc (stack-direction.patch) (#97359)
-- removed open-pref from startscript as it is done
- automatically now (#73042)
-- updated Novell searchplugins
-
--------------------------------------------------------------------
-Mon Jul 25 12:32:13 CEST 2005 - stark@suse.de
-
-- GTK filechooser is now modal (#8533)
-- backed out patch to add tooltips to print-preview
- because it breaks localization
-
--------------------------------------------------------------------
-Fri Jul 22 10:54:39 CEST 2005 - stark@suse.de
-
-- fixed another problem in printing patch
-
--------------------------------------------------------------------
-Tue Jul 19 10:44:59 CEST 2005 - stark@suse.de
-
-- fixed error in ft-xft-ps2.patch
-- disabled stripping in spec instead of patch
-- added NSPR to PreReq
-
--------------------------------------------------------------------
-Mon Jul 18 08:43:24 CEST 2005 - stark@suse.de
-
-- fixed some more regressions with final 1.0.6
-- fixed width calculation in Postscript module (bmo #290292)
-- fixed plugin event starvation (bnc #94749, #94751, bmo #301161)
-
--------------------------------------------------------------------
-Fri Jul 15 11:24:47 CEST 2005 - stark@suse.de
-
-- searchplugins can now be installed per profile (#8176)
-
--------------------------------------------------------------------
-Fri Jul 15 06:54:02 CEST 2005 - stark@suse.de
-
-- update to 1.0.6 which restores API compatibility
-
--------------------------------------------------------------------
-Tue Jul 12 06:20:37 CEST 2005 - stark@suse.de
-
-- update to 1.0.5 final (#88509)
-- don't strip explicitely
-- don't ship beagle.xpi
-
--------------------------------------------------------------------
-Wed Jul 6 14:13:09 CEST 2005 - stark@suse.de
-
-- update to 1.0.5-pre (20050705)
-- use RPM_OPT_FLAGS for NSS component
-- fixed implicit declarations and uninitialized used variables
-- added patch for bmo #87969
-
--------------------------------------------------------------------
-Tue Jul 5 10:17:16 CEST 2005 - stark@suse.de
-
-- fixed regression from security update (#95069, bmo #298478)
-
--------------------------------------------------------------------
-Mon Jun 27 21:46:58 CEST 2005 - stark@suse.de
-
-- don't use system-prefs by default on NLD
-- removed basic lockdown stuff for SUSE Linux
- (it's not needed and caused problems: bnc #75418)
-- fixed NLD lockdown patch (bnc #75418)
-- don't write prefs back to gconf for now
-
--------------------------------------------------------------------
-Wed Jun 22 07:32:42 CEST 2005 - stark@suse.de
-
-- new NLD lockdown patch which is syncing user prefs to gconf
-- update to 1.0.5pre security-release
-
--------------------------------------------------------------------
-Thu Jun 9 06:56:02 CEST 2005 - stark@suse.de
-
-- new revision of NLD lockdown patch
-- fixed remote usage behaviour in start script (bnc #41903)
-- got more bugfixes from the branch
-
--------------------------------------------------------------------
-Thu Jun 2 10:31:48 CEST 2005 - stark@suse.de
-
-- fixed neededforbuild
-
--------------------------------------------------------------------
-Wed Jun 1 20:15:25 CEST 2005 - stark@suse.de
-
-- fixed IDN for 64bit platforms (bmo #236425, bnc #46268)
-
--------------------------------------------------------------------
-Fri May 20 15:12:06 CEST 2005 - stark@suse.de
-
-- fixed keybinding for KP separator (bnc #84147)
-- pulled security related patch from upstream branch
-- update plastikfox theme to version 1.6
-
--------------------------------------------------------------------
-Thu May 12 06:16:25 CEST 2005 - stark@suse.de
-
-- update to final 1.0.4 release
-
--------------------------------------------------------------------
-Tue May 10 06:38:05 CEST 2005 - stark@suse.de
-
-- update to 1.0.4 security release
-- removed s390(x) patches (upstream)
-- made two more files %verify (81692)
-- updated NLD lockdown patch (81304)
-
--------------------------------------------------------------------
-Thu Apr 28 09:45:53 CEST 2005 - stark@suse.de
-
-- use static NSPR libs from new location
-
--------------------------------------------------------------------
-Sat Apr 23 15:56:08 CEST 2005 - stark@suse.de
-
-- activate usage of system NSPR for distributions after 9.3
-- add patch to be able to use systen NSPR at all
-
--------------------------------------------------------------------
-Fri Apr 22 02:06:06 CEST 2005 - ro@suse.de
-
-- use mozilla-gcc4.patch
-
--------------------------------------------------------------------
-Thu Apr 21 12:51:19 CEST 2005 - stark@suse.de
-
-- don't execute gconf magic within build environment
-
--------------------------------------------------------------------
-Sat Apr 16 13:05:37 CEST 2005 - stark@suse.de
-
-- update to final 1.0.3 release
-
--------------------------------------------------------------------
-Fri Apr 15 00:10:54 CEST 2005 - ro@suse.de
-
-- fix problem in postinstall script
-
--------------------------------------------------------------------
-Wed Apr 14 09:20:02 CEST 2005 - stark@suse.de
-
-- included fixed lockdown patch for NLD
-- linked proxies within Firefox with gnome settings (NLD)
-- added gconfd restart procedure to install script
- (only needed if gconf changes are done) (#76852)
-
--------------------------------------------------------------------
-Sat Apr 2 21:03:11 CEST 2005 - stark@suse.de
-
-- update to security pre-release 1.0.3 (#75692)
- * Manual plug-in install, javascript vulnerability (bmo #288556)
- * Access memory vulnerability (bmo #288688)
-
--------------------------------------------------------------------
-Fri Apr 1 11:32:44 CEST 2005 - stark@suse.de
-
-- added advanced lockdown features for ZLM integration (NLD-only)
-
--------------------------------------------------------------------
-Tue Mar 22 12:33:15 CET 2005 - stark@suse.de
-
-- update to final 1.0.2
-- use new theme handling on NLD
-- added default-plugin-less-annoying from mozilla
-- use GTK2 for Flash
-- use system NSPR on SUSE releases after 9.3
-- made startscript PIS aware
-- set g-application-name correctly (bmo #281979)
-- added man-page
-- use GTK system colors
-- modify useragent string and add vendor id
-- activate smooth-scrolling by default (#74310)
-
--------------------------------------------------------------------
-Tue Mar 22 08:59:06 CET 2005 - stark@suse.de
-
-- don't register beagle automatically (#74062)
-- added default bookmarks for SUSE LINUX
-
--------------------------------------------------------------------
-Mon Mar 21 18:20:39 CET 2005 - max@suse.de
-
-- Fixed a typo in the shell code that handles inclusion of the
- Acrobat Reader plugin (#70861).
-
--------------------------------------------------------------------
-Thu Mar 17 21:01:11 CET 2005 - stark@suse.de
-
-- updates from upcoming 1.0.2
-- added again logic to use Adobe Reader 7 (#70861)
-- fixed crash in ICO decoding (#67142, bmo #245631)
-- preinstall beagle extension (#72920)
-- bugfixes in trigger scripts
-- fixed industrial theming for Gnome (#72918)
-
--------------------------------------------------------------------
-Sat Mar 12 12:42:16 CET 2005 - stark@suse.de
-
-- fixed more security related bugs
- (bmo #284551, #284627, #285595)
-
--------------------------------------------------------------------
-Wed Mar 9 21:42:05 CET 2005 - stark@suse.de
-
-- update also GNOME desktop file (#71810)
-- added firefox-gnome.png to filelist
-- use correct Firefox icon
-
--------------------------------------------------------------------
-Mon Mar 7 20:47:00 CET 2005 - stark@suse.de
-
-- disable inclusion of acrobat plugin again (#70861)
-- don't use gconfd in registration phase (#66381)
-
--------------------------------------------------------------------
-Mon Mar 7 16:13:29 CET 2005 - adrian@suse.de
-
-- use standard icon again for the default desktop file and
- add a Gnome-only desktop file for the Gnome icon
-- add plastikfox chrome theme to fix button order within KDE
-- add patch for automatic theme selection for KDE and Gnome
-- do register extensions in rebuild-databases.sh instead of %install,
- to fix needed timestamps
-
--------------------------------------------------------------------
-Fri Mar 4 07:54:47 CET 2005 - stark@suse.de
-
-- extend add-plugins to recognize Java 1.5 (#66909)
-- changed comment in desktop-file (#66867)
-
--------------------------------------------------------------------
-Tue Feb 22 09:33:44 CET 2005 - stark@suse.de
-
-- make --display parameter working in all cases (bnc #66043)
-- revised postscript patch
-- final 1.0.1 codebase
-
--------------------------------------------------------------------
-Mon Feb 21 13:09:30 CET 2005 - stark@suse.de
-
-- added patch to create Postscript level 2 (instead of 3)
- (special thanks to Jungshik Shin)
-- disabled freetype explicitly to be able to use the above patch
- (freetype wasn't used anymore since some time anyway)
-
--------------------------------------------------------------------
-Fri Feb 18 09:10:10 CET 2005 - stark@suse.de
-
-- got more patches from branch to get another IDN fix and to
- fix bug #51019
-- enabled IDN again
-
--------------------------------------------------------------------
-Wed Feb 16 09:20:39 CET 2005 - stark@suse.de
-
-- bumped version number to 1.0.1
-
--------------------------------------------------------------------
-Tue Feb 15 10:26:04 CET 2005 - stark@suse.de
-
-- got updates from 1.0.1 branch
-
--------------------------------------------------------------------
-Thu Feb 10 06:57:33 CET 2005 - stark@suse.de
-
-- additional fireflashing fix (#50635, bmo #280664)
-- some more security related fixes
- (bmo #268483, #273498, #277322)
-- fire up GTK2 filepicker if GNOME is running
-
--------------------------------------------------------------------
-Tue Feb 8 07:51:13 CET 2005 - stark@suse.de
-
-- some prefs are ignored (bmo #261934)
-- disabled default IDN (#50566)
-- fixed some more bugzilla.mozilla.org bugs:
- #276482, #280056, #280603
-
--------------------------------------------------------------------
-Sun Feb 6 13:10:12 CET 2005 - stark@suse.de
-
-- use same desktop categories for Professional and NLD
-- added some lockdown stuff for printing and page saving
- (bmo #280488)
-
--------------------------------------------------------------------
-Wed Feb 2 13:58:53 CET 2005 - stark@suse.de
-
-- modified gconf.diff to honor ignore_hosts (bmo #280742)
-- added a JS crasher fix (bmo #268535)
-- added more fixes (bmo #255441, #273024, #275405, #275634)
-
--------------------------------------------------------------------
-Fri Jan 28 12:39:37 CET 2005 - stark@suse.de
-
-- added gplflash inclusion
-- improved JRE inclusion
-- reactivated usage of Acrobat Reader plugin
- (ready for acroread 7)
-
--------------------------------------------------------------------
-Sat Jan 22 13:16:47 CET 2005 - stark@suse.de
-
-- added some backported bugfixes
-
--------------------------------------------------------------------
-Sat Dec 18 10:30:11 CET 2004 - stark@suse.de
-
-- updated industrial theme to 1.0.9
-- use slightly changed icon for menu-entry (bnc #275)
-- use original desktop file for NLD again
-
--------------------------------------------------------------------
-Thu Dec 16 19:37:48 CET 2004 - stark@suse.de
-
-- newer patch for GNOME associations (bnc #362)
-- fix overwriting of files with GTK picker (Ximian #65068)
-- readded the industrial default theme patch for NLD
-
--------------------------------------------------------------------
-Wed Dec 15 11:50:56 CET 2004 - stark@suse.de
-
-- activate GTK filepicker for NLD again
-- fix for GNOME helper applications with parameters
-- make GNOME associations the default on NLD
-
--------------------------------------------------------------------
-Sat Dec 4 16:11:01 CET 2004 - stark@suse.de
-
-- fixed build on s390/s390x
-- added patch to be able to install-global without running X
- (bmo #265859)
-
--------------------------------------------------------------------
-Thu Nov 18 21:48:05 CET 2004 - stark@suse.de
-
-- update industrial theme to 1.0.8 (still not activated)
-- added patch to make home-directory the default download dir
- (on NLD is still used Desktop)
-
--------------------------------------------------------------------
-Thu Nov 11 09:01:58 CET 2004 - stark@suse.de
-
-- made initial window height smaller again
-
--------------------------------------------------------------------
-Tue Nov 9 09:09:06 CET 2004 - stark@suse.de
-
-- update to final 1.0 release (20041109)
-
--------------------------------------------------------------------
-Thu Nov 4 08:22:36 CET 2004 - stark@suse.de
-
-- update to 1.0rc2
-
--------------------------------------------------------------------
-Sat Oct 30 21:27:29 CEST 2004 - stark@suse.de
-
-- added missing s390(x) patch
-
--------------------------------------------------------------------
-Wed Oct 27 07:26:25 CEST 2004 - stark@suse.de
-
-- update to 1.0rc1 codebase
-- printing via XFT/fontconfig
-- freetype changes to avoid API conflicts with newer freetype2
-- fixed build for s390/s390x
-- removed AMD64 patch (included upstream)
-- added translations sub-package
-- removed "Show folder" patch for NLD (resolved upstream)
-- don't use gnome-filepicker patch for NLD for now
-- removed hppa buildfix (included upstream)
-- removed untitled.patch (bmo #24068) resolved by (bmo #262478)
-- use make -C browser/installer now to prepare installation
-- don't check for default browser at startup (#47587)
-- updated industrial.jar (0.99.13) (disabled)
-
--------------------------------------------------------------------
-Fri Oct 15 13:51:54 CEST 2004 - stark@suse.de
-
-- inherit locale from system
-- fixed chrome registration
-
--------------------------------------------------------------------
-Wed Oct 6 23:11:01 CEST 2004 - joeshaw@suse.de
-
- - disable gconf settings as default (Ximian #67718)
-
--------------------------------------------------------------------
-Wed Oct 6 07:04:05 CEST 2004 - stark@suse.de
-
-- fixed inclusion of RealPlayer plugin again
-
--------------------------------------------------------------------
-Tue Oct 5 10:09:04 CEST 2004 - stark@suse.de
-
-- small important fix in firefox-download.patch (Ximian #65472)
-
--------------------------------------------------------------------
-Sun Oct 3 00:02:09 CEST 2004 - stark@suse.de
-
-- added security-fix from 0.10.1 (mozilla.org #259708) (#46687)
-
--------------------------------------------------------------------
-Fri Oct 1 12:49:38 CEST 2004 - stark@suse.de
-
-- final fix for downloading to Desktop folder (Ximian #65756)
-- remove Postscript from printer names (Ximian #65560)
-
--------------------------------------------------------------------
-Thu Sep 30 16:14:10 CEST 2004 - shprasad@suse.de
-
-- Modified the MozillaFirefox.desktop file.
- Changed the name 'Firefox' to 'Firefox Web Browser'.
- Also changed it for all languages.
-
--------------------------------------------------------------------
-Wed Sep 29 15:54:46 CEST 2004 - stark@suse.de
-
-- fix inclusion of RealPlayer plugin (Ximian #65711)
-
--------------------------------------------------------------------
-Mon Sep 27 17:51:24 CEST 2004 - joeshaw@suse.de
-
-- Update the industrial default patch, for some reason it didn't
- take before.
-
--------------------------------------------------------------------
-Fri Sep 24 07:34:48 CEST 2004 - stark@suse.de
-
-- fix for Ximian #65176 (mozilla.org #240068)
-- revised patch for update function (Ximian #65615)
-
--------------------------------------------------------------------
-Thu Sep 23 20:21:39 CEST 2004 - joeshaw@suse.de
-
-- Uncomment the patch which tells the UI that industrial is the
- default.
-
--------------------------------------------------------------------
-Thu Sep 23 12:38:06 CEST 2004 - stark@suse.de
-
-- open Nautilus on NLD for 'Show folder' in download settings
- (Ximian #65472) by sragavan@novell.com
-- save to Desktop folder if selected (Ximian #65756)
- by sragavan@novell.com
-
--------------------------------------------------------------------
-Wed Sep 22 10:23:01 CEST 2004 - stark@suse.de
-
-- synced NLD package with 9.2 version
-- GTK2 filepicker does now ask for confirmation when overwriting
- files (Ximian #65068) by sagarwala@novell.com
-- no direct update function (Ximian #65615) by rganesan@novell.com
-- throbber linked to Novell (Ximian #66283) by rganesan@novell.com
-- make industrial the default theme for NLD
- (Ximian #65542) by joeshaw@suse.de
-
--------------------------------------------------------------------
-Mon Sep 20 22:00:55 CEST 2004 - joeshaw@suse.de
-
-- Add default bookmarks. Ximian #65546.
-- Add the industrial theme, but it's not the default yet.
-- Remove acroread from add-plugins because it's badly behaved.
- Ximian #65499.
-
--------------------------------------------------------------------
-Mon Sep 20 17:57:38 CEST 2004 - federico@ximian.com
-
-- Added MozillaFirefox-toplevel-window-height.diff for
- http://bugzilla.ximian.com/show_bug.cgi?id=65543
-
--------------------------------------------------------------------
-Sun Sep 19 15:42:30 CEST 2004 - stark@suse.de
-
-- use GNOME system prefs only for NLD by default
- (fixes bug #45575)
-
--------------------------------------------------------------------
-Fri Sep 17 08:59:32 CEST 2004 - stark@suse.de
-
-- joeshaw@suse.de: Update GConf patch so that proxy settings work
- correctly (Ximian #64461)
-- don't search Java on every path (Ximian #65383)
-- added some missing fixes for official release
-- added new java package name for triggers (#45257)
-
--------------------------------------------------------------------
-Sat Sep 11 13:25:41 CEST 2004 - stark@suse.de
-
-- update to official 1.0PR (0.10)
-- adopted gnome-filepicker patch
-- removed obsolete CUPS hack from start-script
- (Ximian #65635, #65560)
-
--------------------------------------------------------------------
-Thu Sep 9 21:35:42 CEST 2004 - stark@suse.de
-
-- fixed endianess on AMD64 in JS component (#34743)
-
--------------------------------------------------------------------
-Mon Sep 6 17:33:07 CEST 2004 - stark@suse.de
-
-- fixed filelist
-
--------------------------------------------------------------------
-Mon Sep 6 13:48:03 CEST 2004 - stark@suse.de
-
-- update to 1.0PR (aka 0.10)
-
--------------------------------------------------------------------
-Fri Sep 3 21:35:47 CEST 2004 - stark@suse.de
-
-- added ppc64 patch
-
--------------------------------------------------------------------
-Thu Sep 2 03:08:59 CEST 2004 - dave@suse.de
-
-- Fixed up the .desktop installation on nld
-
--------------------------------------------------------------------
-Wed Sep 1 15:05:48 CEST 2004 - shprasad@suse.de
-
-- Doesn't ask to set Firefox as default web-browser.
-
--------------------------------------------------------------------
-Tue Aug 31 14:01:18 CEST 2004 - stark@suse.de
-
-- next new version for filepicker stuff
-- deactivated native filepicker for NLD
-- update to snapshot (20040831)
-
--------------------------------------------------------------------
-Tue Aug 24 17:35:52 CEST 2004 - stark@suse.de
-
-- new version of gnome-filepicker patch
-- added patch for config
-
--------------------------------------------------------------------
-Fri Aug 20 17:12:48 CEST 2004 - stark@suse.de
-
-- update to snapshot (20040820)
-
--------------------------------------------------------------------
-Thu Aug 19 08:46:42 CEST 2004 - stark@suse.de
-
-- added workaround for mozilla bug #246313
- (Firefox does not start: getting "cannot open display" error)
-
--------------------------------------------------------------------
-Wed Aug 18 15:07:22 CEST 2004 - stark@suse.de
-
-- added some patches from Ximian
- - use GNOME filepicker
- - use more gconf settings
- - set startup homepage to Novell
-
--------------------------------------------------------------------
-Tue Aug 17 13:12:35 CEST 2004 - stark@suse.de
-
-- update to pre-1.0.0 (20040817)
-
--------------------------------------------------------------------
-Thu Aug 5 06:27:41 CEST 2004 - stark@suse.de
-
-- security update to 0.9.3
- (including #43312 and others)
-- handle RealPlayer 9 plugin
-
--------------------------------------------------------------------
-Mon Aug 2 15:11:51 CEST 2004 - ro@suse.de
-
-- recode desktop file to utf-8
-
--------------------------------------------------------------------
-Wed Jul 28 08:46:31 CEST 2004 - stark@suse.de
-
-- added fix against certificate spoofing (#43312)
-
--------------------------------------------------------------------
-Fri Jul 23 06:31:41 CEST 2004 - stark@suse.de
-
-- update to 0.9.2
-- added workaround for extension registry
-- removed old (incompatible) mozex extension
-
--------------------------------------------------------------------
-Tue Jun 29 06:27:59 CEST 2004 - stark@suse.de
-
-- update to 0.9.1
-- added hint to run as root first
-
--------------------------------------------------------------------
-Tue Jun 15 12:42:28 CEST 2004 - stark@suse.de
-
-- update to 0.9
-- added patch for newer freetype
-
--------------------------------------------------------------------
-Fri Apr 2 10:31:45 CEST 2004 - stark@suse.de
-
-- removing relocation of TEMP directory (#34391)
-
--------------------------------------------------------------------
-Mon Mar 29 11:43:51 CEST 2004 - stark@suse.de
-
-- update to 0.8.0+ (20040503)
-- removed firefox logos and activate official branding for
- milestone builds
-- changed profile-dir to .firefox
-- added some needed files
-- enabled gnomevfs extension
-
--------------------------------------------------------------------
-Fri Mar 26 18:09:34 CET 2004 - uli@suse.de
-
-- fixed hang during build on s390* (bug #35440)
-
--------------------------------------------------------------------
-Wed Mar 3 06:52:00 CET 2004 - stark@suse.de
-
-- removed unused patches for GTK2 build
-- more fixes for (#35179)
-
--------------------------------------------------------------------
-Mon Mar 1 07:32:52 CET 2004 - stark@suse.de
-
-- improved start-script to interact with thunderbird (#35179)
-
--------------------------------------------------------------------
-Thu Feb 26 06:57:05 CET 2004 - stark@suse.de
-
-- use official releasedate
-- added official (trademarked) artwork
-- added firefox icon to /usr/share/pixmaps
-- cleaned up spec-file (there will be no GTK1 version)
-
--------------------------------------------------------------------
-Tue Feb 24 16:43:17 CET 2004 - stark@suse.de
-
-- fixed optimization for non-x86 archs
-
--------------------------------------------------------------------
-Tue Feb 24 07:43:35 CET 2004 - stark@suse.de
-
-- adopted file-list and build options to original distribution
-- added prdtoa fix (#32963)
-- added hook for static firefox build to rebuild-databases.sh
-- added compiler flags for security/ (nss-opt.patch)
-- included mozex (mozex.mozdev.org)
-- added -Os as optimization flag
-
--------------------------------------------------------------------
-Mon Feb 9 21:59:37 CET 2004 - stark@suse.de
-
-- renamed to MozillaFirefox
-- update to final version 0.8
-
--------------------------------------------------------------------
-Fri Feb 6 08:39:15 CET 2004 - stark@suse.de
-
-- update to Firebird 0.8 (20040205)
-- added mips build fix
-- set PS printer list in MozillaFirebird.sh
-- use lib64 again for biarch platforms
-
--------------------------------------------------------------------
-Sat Jan 10 10:33:54 CET 2004 - adrian@suse.de
-
-- build as user
-
--------------------------------------------------------------------
-Fri Aug 22 11:32:07 CEST 2003 - stark@suse.de
-
-- upstream sync for 0.6.1post
-
--------------------------------------------------------------------
-Sun Aug 10 22:01:12 CEST 2003 - stark@suse.de
-
-- removed dmoz from searchplugins-filelist
-
--------------------------------------------------------------------
-Fri Aug 8 10:30:50 CEST 2003 - stark@suse.de
-
-- update to 0.6.1post (TRUNK)
-- use -fno-strict-aliasing
-
--------------------------------------------------------------------
-Thu Jul 31 11:25:39 CEST 2003 - stark@suse.de
-
-- update to 0.6.1 (MOZILLA_1_4_BRANCH)
-- synchronized with mozilla-source
-- created file-list
-
--------------------------------------------------------------------
-Thu Jul 10 09:45:49 CEST 2003 - stark@suse.de
-
-- update to snapshot 20030709
-- fixed generation of symlink MozillaFirebird-xremote-client
-
--------------------------------------------------------------------
-Fri Jun 20 06:53:08 CEST 2003 - stark@suse.de
-
-- update to snapshot 20030622 (0.7pre)
-
--------------------------------------------------------------------
-Mon May 19 08:54:46 CEST 2003 - stark@suse.de
-
-- update to snapshot 20030518 (0.6)
-
--------------------------------------------------------------------
-Sun May 7 10:11:16 CEST 2003 - stark@suse.de
-
-- update to snapshot 20030507
-
--------------------------------------------------------------------
-Wed Apr 30 13:26:43 CEST 2003 - stark@suse.de
-
-- initial SuSE package
-
--- a/MozillaFirefox/firefox-esr.spec Mon Sep 06 12:03:54 2021 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,824 +0,0 @@
-#
-# spec file
-#
-# Copyright (c) 2021 SUSE LLC
-# 2006-2021 Wolfgang Rosenauer <wr@rosenauer.org>
-#
-# All modifications and additions to the file contributed by third parties
-# remain the property of their copyright owners, unless otherwise agreed
-# upon. The license for this file, and modifications and additions to the
-# file, is the same license as for the pristine package itself (unless the
-# license for the pristine package is not an Open Source License, in which
-# case the license is the MIT License). An "Open Source License" is a
-# license that conforms to the Open Source Definition (Version 1.9)
-# published by the Open Source Initiative.
-
-# Please submit bugfixes or comments via https://bugs.opensuse.org/
-#
-
-# either MozillaFirefox or firefox-esr
-%if "0%{?ff_esr_name}" != "0"
-%define pkgname %{ff_esr_name}
-%else
-%if 0%{?suse_version} > 1549
-%define pkgname firefox-esr
-%else
-%define pkgname MozillaFirefox
-%endif
-%endif
-
-%define _dwz_low_mem_die_limit 40000000
-%define _dwz_max_die_limit 200000000
-
-# changed with every update
-# orig_version vs. mainver: To have beta-builds
-# FF70beta3 would be released as FF69.99
-# orig_version would be the upstream tar ball
-# orig_version 70.0
-# orig_suffix b3
-# major 69
-# mainver %major.99
-%define major 91
-%define mainver %major.1.0
-%define orig_version 91.1.0
-%define orig_suffix esr
-%define update_channel esr91
-%define branding 1
-%define devpkg 0
-
-# PGO builds do not work in TW currently (bmo#1680306)
-%define do_profiling 0
-
-# upstream default is clang (to use gcc for large parts set to 0)
-%define clang_build 0
-
-# PIE, full relro
-%define build_hardened 1
-
-%bcond_with only_print_mozconfig
-
-# define if ccache should be used or not
-%define useccache 1
-
-# SLE-12 doesn't have this macro
-%{!?_rpmmacrodir: %global _rpmmacrodir %{_rpmconfigdir}/macros.d}
-
-# Firefox only supports i686
-%ifarch %ix86
-ExclusiveArch: i586 i686
-BuildArch: i686
-%{expand:%%global optflags %(echo "%optflags"|sed -e s/i586/i686/) -march=i686 -mtune=generic}
-%endif
-
-# general build definitions
-%if "%{pkgname}" == "firefox-esr"
-%define progname firefox-esr
-%define appname Firefox ESR
-%else
-%define progname firefox
-%define appname Firefox
-%endif
-%define srcname firefox
-%define progdir %{_prefix}/%_lib/%{progname}
-%define gnome_dir %{_prefix}
-%define desktop_file_name %{progname}
-%define firefox_appid \{ec8030f7-c20a-464f-9b0e-13a3a9e97384\}
-%define __provides_exclude ^lib.*\\.so.*$
-%define __requires_exclude ^(libmoz.*|liblgpllibs.*|libxul.*)$
-%define localize 1
-%ifarch %ix86 x86_64
-%define crashreporter 1
-%else
-%define crashreporter 0
-%endif
-%define with_pipewire0_3 1
-%define wayland_supported 1
-%if 0%{?sle_version} > 0 && 0%{?sle_version} < 150200
-# pipewire is too old on Leap <=15.1
-%define with_pipewire0_3 0
-# Wayland is too old on Leap <=15.1 as well
-%define wayland_supported 0
-%endif
-
-Name: %{pkgname}
-BuildRequires: Mesa-devel
-BuildRequires: alsa-devel
-BuildRequires: autoconf213
-BuildRequires: dbus-1-glib-devel
-BuildRequires: dejavu-fonts
-BuildRequires: fdupes
-BuildRequires: memory-constraints
-%if 0%{?suse_version} <= 1320
-BuildRequires: gcc9-c++
-%else
-BuildRequires: gcc-c++
-%endif
-%if 0%{?suse_version} < 1550 && 0%{?sle_version} < 150300
-BuildRequires: cargo >= 1.51
-BuildRequires: rust >= 1.51
-%else
-# Newer sle/leap/tw use parallel versioned rust releases which have
-# a different method for provides that we can use to request a
-# specific version
-BuildRequires: rust+cargo >= 1.51
-%endif
-%if 0%{useccache} != 0
-BuildRequires: ccache
-%endif
-BuildRequires: libXcomposite-devel
-BuildRequires: libcurl-devel
-BuildRequires: libidl-devel
-BuildRequires: libiw-devel
-BuildRequires: libproxy-devel
-BuildRequires: makeinfo
-BuildRequires: mozilla-nspr-devel >= 4.32
-BuildRequires: mozilla-nss-devel >= 3.68
-BuildRequires: nasm >= 2.14
-BuildRequires: nodejs >= 10.22.1
-%if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000
-BuildRequires: python-libxml2
-BuildRequires: python36
-%else
-BuildRequires: python3 >= 3.5
-BuildRequires: python3-devel
-%endif
-BuildRequires: rust-cbindgen >= 0.19.0
-BuildRequires: unzip
-BuildRequires: update-desktop-files
-BuildRequires: xorg-x11-libXt-devel
-%if 0%{?do_profiling}
-BuildRequires: xvfb-run
-%endif
-BuildRequires: yasm
-BuildRequires: zip
-%if 0%{?suse_version} < 1550
-BuildRequires: pkgconfig(gconf-2.0) >= 1.2.1
-%endif
-%if (0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000)
-BuildRequires: clang6-devel
-%else
-BuildRequires: clang-devel >= 5
-%endif
-BuildRequires: pkgconfig(gdk-x11-2.0)
-BuildRequires: pkgconfig(glib-2.0) >= 2.22
-BuildRequires: pkgconfig(gobject-2.0)
-BuildRequires: pkgconfig(gtk+-3.0) >= 3.14.0
-BuildRequires: pkgconfig(gtk+-unix-print-3.0)
-BuildRequires: pkgconfig(libffi)
-BuildRequires: pkgconfig(libpulse)
-%if %{with_pipewire0_3}
-BuildRequires: pkgconfig(libpipewire-0.3)
-%endif
-# libavcodec is required for H.264 support but the
-# openSUSE version is currently not able to play H.264
-# therefore the Packman version is required
-# minimum version of libavcodec is 53
-Recommends: libavcodec-full >= 0.10.16
-Version: %{mainver}
-Release: 0
-%if "%{name}" == "MozillaFirefox"
-Provides: firefox = %{mainver}
-Provides: firefox = %{version}-%{release}
-%endif
-Provides: web_browser
-Provides: appdata()
-Provides: appdata(firefox.appdata.xml)
-# this is needed to match this package with the kde4 helper package without the main package
-# having a hard requirement on the kde4 package
-%define kde_helper_version 6
-Provides: mozilla-kde4-version = %{kde_helper_version}
-Summary: Mozilla %{appname} Web Browser
-License: MPL-2.0
-Group: Productivity/Networking/Web/Browsers
-URL: http://www.mozilla.org/
-%if !%{with only_print_mozconfig}
-Source: http://ftp.mozilla.org/pub/%{srcname}/releases/%{version}%{orig_suffix}/source/%{srcname}-%{orig_version}%{orig_suffix}.source.tar.xz
-Source1: MozillaFirefox.desktop
-Source2: MozillaFirefox-rpmlintrc
-Source3: mozilla.sh.in
-Source4: tar_stamps
-Source7: l10n-%{orig_version}%{orig_suffix}.tar.xz
-Source8: firefox-mimeinfo.xml
-Source9: firefox.js
-Source11: firefox.1
-Source12: mozilla-get-app-id
-Source13: spellcheck.js
-Source14: https://github.com/openSUSE/firefox-scripts/raw/4503820/create-tar.sh
-Source15: firefox-appdata.xml
-Source16: %{name}.changes
-Source17: firefox-search-provider.ini
-# Set up API keys, see http://www.chromium.org/developers/how-tos/api-keys
-# Note: these are for the openSUSE Firefox builds ONLY. For your own distribution,
-# please get your own set of keys.
-Source18: mozilla-api-key
-Source19: google-api-key
-Source20: https://ftp.mozilla.org/pub/%{srcname}/releases/%{version}%{orig_suffix}/source/%{srcname}-%{orig_version}%{orig_suffix}.source.tar.xz.asc
-Source21: https://ftp.mozilla.org/pub/%{srcname}/releases/%{version}%{orig_suffix}/KEY#/mozilla.keyring
-# Gecko/Toolkit
-Patch1: mozilla-nongnome-proxies.patch
-Patch2: mozilla-kde.patch
-Patch3: mozilla-ntlm-full-path.patch
-Patch4: mozilla-aarch64-startup-crash.patch
-Patch6: mozilla-sandbox-fips.patch
-Patch7: mozilla-fix-aarch64-libopus.patch
-Patch8: mozilla-disable-wasm-emulate-arm-unaligned-fp-access.patch
-Patch9: mozilla-s390-context.patch
-Patch10: mozilla-pgo.patch
-Patch11: mozilla-reduce-rust-debuginfo.patch
-Patch13: mozilla-bmo1005535.patch
-Patch14: mozilla-bmo1568145.patch
-Patch15: mozilla-bmo1504834-part1.patch
-Patch16: mozilla-bmo1504834-part2.patch
-Patch17: mozilla-bmo1504834-part3.patch
-Patch19: mozilla-bmo1512162.patch
-Patch20: mozilla-fix-top-level-asm.patch
-Patch21: mozilla-bmo1504834-part4.patch
-Patch22: mozilla-bmo849632.patch
-Patch24: mozilla-bmo1602730.patch
-Patch25: mozilla-bmo998749.patch
-Patch26: mozilla-bmo1626236.patch
-Patch27: mozilla-s390x-skia-gradient.patch
-Patch28: mozilla-libavcodec58_91.patch
-Patch29: mozilla-bmo1708709.patch
-Patch30: mozilla-silence-no-return-type.patch
-Patch31: mozilla-bmo531915.patch
-# Firefox/browser
-Patch101: firefox-kde.patch
-Patch102: firefox-branded-icons.patch
-%endif
-BuildRoot: %{_tmppath}/%{name}-%{version}-build
-Requires(post): coreutils shared-mime-info desktop-file-utils
-Requires(postun):shared-mime-info desktop-file-utils
-Requires: %{name}-branding >= 68
-%requires_ge mozilla-nspr
-%requires_ge mozilla-nss
-%requires_ge libfreetype6
-Recommends: libcanberra0
-Recommends: libpulse0
-# addon leads to startup crash (bnc#908892)
-Obsoletes: tracker-miner-firefox < 0.15
-%if 0%{?devpkg} == 0
-Obsoletes: %{name}-devel < %{version}
-%endif
-# libproxy's mozjs pacrunner crashes FF (bnc#759123)
-%if 0%{?suse_version} < 1220
-Obsoletes: libproxy1-pacrunner-mozjs <= 0.4.7
-%endif
-ExcludeArch: armv6l armv6hl
-
-%description
-Mozilla Firefox is a standalone web browser, designed for standards
-compliance and performance. Its functionality can be enhanced via a
-plethora of extensions.
-
-%if 0%{?devpkg}
-%package devel
-Summary: Devel package for %{appname}
-Group: Development/Tools/Other
-Provides: firefox-devel = %{version}-%{release}
-Requires: %{name} = %{version}
-Requires: perl(Archive::Zip)
-Requires: perl(XML::Simple)
-
-%description devel
-Development files for %{appname} to make packaging of addons easier.
-%endif
-
-%if %localize
-%package translations-common
-Summary: Common translations for %{appname}
-Group: System/Localization
-Provides: locale(%{name}:ar;ca;cs;da;de;el;en_GB;es_AR;es_CL;es_ES;fi;fr;hu;it;ja;ko;nb_NO;nl;pl;pt_BR;pt_PT;ru;sv_SE;zh_CN;zh_TW)
-# This is there for updates from Firefox before the translations-package was split up into 2 packages
-Provides: %{name}-translations
-Requires: %{name} = %{version}
-Obsoletes: %{name}-translations < %{version}-%{release}
-
-%description translations-common
-This package contains several common languages for the user interface
-of %{appname}.
-
-%package translations-other
-Summary: Extra translations for %{appname}
-Group: System/Localization
-Provides: locale(%{name}:ach;af;an;ast;az;be;bg;bn;br;bs;cak;cy;dsb;en_CA;eo;es_MX;et;eu;fa;ff;fy_NL;ga_IE;gd;gl;gn;gu_IN;he;hi_IN;hr;hsb;hy_AM;ia;id;is;ka;kab;kk;km;kn;lij;lt;lv;mk;mr;ms;my;ne_NP;nn_NO;oc;pa_IN;rm;ro;si;sk;sl;son;sq;sr;ta;te;th;tr;uk;ur;uz;vi;xh)
-Requires: %{name} = %{version}
-Obsoletes: %{name}-translations < %{version}-%{release}
-
-%description translations-other
-This package contains rarely used languages for the user interface
-of %{appname}.
-%endif
-
-%package branding-upstream
-Summary: Upstream branding for %{appname}
-Group: Productivity/Networking/Web/Browsers
-Provides: %{name}-branding = %{version}
-Conflicts: otherproviders(%{name}-branding)
-Supplements: packageand(%{name}:branding-upstream)
-#BRAND: Provide three files -
-#BRAND: /usr/lib/firefox/browserconfig.properties that contains the
-#BRAND: default homepage and some other default configuration options
-#BRAND: /usr/lib/firefox/defaults/profile/bookmarks.html that contains
-#BRAND: the list of default bookmarks
-#BRAND: It's also possible to create a file
-#BRAND: /usr/lib/firefox/defaults/preferences/firefox-$vendor.js to set
-#BRAND: custom preference overrides.
-#BRAND: It's also possible to drop files in /usr/lib/firefox/distribution/searchplugins/common/
-
-%description branding-upstream
-This package provides upstream look and feel for %{appname}.
-
-%if !%{with only_print_mozconfig}
-%prep
-%if %localize
-
-# If generated incorrectly, the tarball will be ~270B in
-# size, so 1MB seems like good enough limit to check.
-MINSIZE=1048576
-if (( $(stat -Lc%s "%{SOURCE7}") < MINSIZE)); then
- echo "Translations tarball %{SOURCE7} not generated properly."
- exit 1
-fi
-
-%setup -q -n %{srcname}-%{orig_version} -b 7
-%else
-%setup -q -n %{srcname}-%{orig_version}
-%endif
-cd $RPM_BUILD_DIR/%{srcname}-%{orig_version}
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch4 -p1
-%patch6 -p1
-%patch7 -p1
-#%patch8 -p1
-%patch9 -p1
-%patch10 -p1
-%patch11 -p1
-%patch13 -p1
-%patch14 -p1
-%patch15 -p1
-%patch16 -p1
-%patch17 -p1
-%patch19 -p1
-%patch20 -p1
-%patch21 -p1
-%patch22 -p1
-%patch24 -p1
-%patch25 -p1
-%patch26 -p1
-%patch27 -p1
-%patch28 -p1
-%patch29 -p1
-%patch30 -p1
-%patch31 -p1
-# Firefox
-%patch101 -p1
-%patch102 -p1
-%endif
-
-%build
-%if !%{with only_print_mozconfig}
-# no need to add build time to binaries
-modified="$(sed -n '/^----/n;s/ - .*$//;p;q' "%{_sourcedir}/%{pkgname}.changes")"
-DATE="\"$(date -d "${modified}" "+%%b %%e %%Y")\""
-TIME="\"$(date -d "${modified}" "+%%R")\""
-find . -regex ".*\.c\|.*\.cpp\|.*\.h" -exec sed -i "s/__DATE__/${DATE}/g;s/__TIME__/${TIME}/g" {} +
-
-# SLE-12 provides python36, but that package does not provide a python3 binary
-%if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000
-sed -i "s/python3/python36/g" configure.in
-sed -i "s/python3/python36/g" mach
-export PYTHON3=/usr/bin/python36
-%endif
-
-# Webrender does not support big endian yet, so we are forcing it off
-# see: https://bugzilla.mozilla.org/show_bug.cgi?id=1716707
-%ifarch s390x ppc64
-echo 'pref("gfx.webrender.force-disabled", true);' >> %{SOURCE9}
-%endif
-
-#
-kdehelperversion=$(cat toolkit/xre/nsKDEUtils.cpp | grep '#define KMOZILLAHELPER_VERSION' | cut -d ' ' -f 3)
-if test "$kdehelperversion" != %{kde_helper_version}; then
- echo fix kde helper version in the .spec file
- exit 1
-fi
-
-source %{SOURCE4}
-%endif
-
-export CARGO_HOME=${RPM_BUILD_DIR}/%{srcname}-%{orig_version}/.cargo
-export MOZ_SOURCE_CHANGESET=$RELEASE_TAG
-export SOURCE_REPO=$RELEASE_REPO
-export source_repo=$RELEASE_REPO
-export MOZ_SOURCE_REPO=$RELEASE_REPO
-export MOZ_BUILD_DATE=$RELEASE_TIMESTAMP
-export MOZILLA_OFFICIAL=1
-export BUILD_OFFICIAL=1
-export MOZ_TELEMETRY_REPORTING=1
-export MACH_USE_SYSTEM_PYTHON=1
-%if 0%{?suse_version} <= 1320
-export CC=gcc-9
-%else
-%if 0%{?clang_build} == 0
-export CC=gcc
-export CXX=g++
-%endif
-%endif
-%ifarch %arm %ix86
-# Limit RAM usage during link
-export LDFLAGS="${LDFLAGS} -Wl,--no-keep-memory -Wl,--reduce-memory-overheads"
-%endif
-%if 0%{?build_hardened}
-export LDFLAGS="${LDFLAGS} -fPIC -Wl,-z,relro,-z,now"
-%endif
-%ifarch ppc64 ppc64le
-%if 0%{?clang_build} == 0
-export CFLAGS="$CFLAGS -mminimal-toc"
-%endif
-%endif
-export CXXFLAGS="$CFLAGS"
-export MOZCONFIG=$RPM_BUILD_DIR/mozconfig
-%if %{with only_print_mozconfig}
-echo "export CC=$CC"
-echo "export CXX=$CXX"
-echo "export CFLAGS=\"$CFLAGS\""
-echo "export CXXFLAGS=\"$CXXFLAGS\""
-echo "export LDFLAGS=\"$LDFLAGS\""
-echo "export RUSTFLAGS=\"$RUSTFLAGS\""
-echo "export CARGO_HOME=\"$CARGO_HOME\""
-echo "export PATH=\"$PATH\""
-echo "export LD_LIBRARY_PATH=\"$LD_LIBRARY_PATH\""
-echo "export PKG_CONFIG_PATH=\"$PKG_CONFIG_PATH\""
-echo "export MOZCONFIG=\"$MOZCONFIG\""
-echo "export MOZILLA_OFFICIAL=1"
-echo "export BUILD_OFFICIAL=1"
-echo "export MOZ_TELEMETRY_REPORTING=1"
-echo ""
-cat << EOF
-%else
-%ifarch aarch64 %arm ppc64 ppc64le
-%limit_build -m 2000
-%endif
-cat << EOF > $MOZCONFIG
-%endif
-mk_add_options MOZILLA_OFFICIAL=1
-mk_add_options BUILD_OFFICIAL=1
-mk_add_options MOZ_MAKE_FLAGS=%{?jobs:-j%jobs}
-mk_add_options MOZ_OBJDIR=@TOPSRCDIR@/../obj
-. \$topsrcdir/browser/config/mozconfig
-ac_add_options --disable-bootstrap
-ac_add_options --prefix=%{_prefix}
-ac_add_options --libdir=%{_libdir}
-ac_add_options --includedir=%{_includedir}
-ac_add_options --enable-release
-%if 0%{wayland_supported}
-ac_add_options --enable-default-toolkit=cairo-gtk3-wayland
-%else
-ac_add_options --enable-default-toolkit=cairo-gtk3
-%endif
-# bmo#1441155 - Disable the generation of Rust debug symbols on Linux32
-%ifarch %ix86 %arm
-ac_add_options --disable-debug-symbols
-%else
-ac_add_options --enable-debug-symbols
-%endif
-# building with elf-hack started to fail everywhere with FF73
-#%if 0%{?suse_version} > 1549
-%ifnarch aarch64 ppc64 ppc64le s390x
-ac_add_options --disable-elf-hack
-%endif
-#%endif
-ac_add_options --with-system-nspr
-ac_add_options --with-system-nss
-%if 0%{useccache} != 0
-ac_add_options --with-ccache
-%endif
-%if %{localize}
-ac_add_options --with-l10n-base=$RPM_BUILD_DIR/l10n
-%endif
-#ac_add_options --with-system-jpeg # libjpeg-turbo is used internally
-#ac_add_options --with-system-png # doesn't work because of missing APNG support
-ac_add_options --with-system-zlib
-ac_add_options --disable-updater
-ac_add_options --disable-tests
-ac_add_options --enable-alsa
-ac_add_options --disable-debug
-#ac_add_options --enable-chrome-format=jar
-ac_add_options --enable-update-channel=%{update_channel}
-ac_add_options --with-mozilla-api-keyfile=%{SOURCE18}
-# Google-service currently not available for free anymore
-#ac_add_options --with-google-location-service-api-keyfile=%{SOURCE19}
-ac_add_options --with-google-safebrowsing-api-keyfile=%{SOURCE19}
-ac_add_options --with-unsigned-addon-scopes=app
-ac_add_options --allow-addon-sideload
-%if %branding
-ac_add_options --enable-official-branding
-%endif
-ac_add_options --enable-libproxy
-%if ! %crashreporter
-ac_add_options --disable-crashreporter
-%endif
-%ifarch %arm
-ac_add_options --with-fpu=vfpv3-d16
-ac_add_options --with-float-abi=hard
-%ifarch armv6l armv6hl
-ac_add_options --with-arch=armv6
-%else
-ac_add_options --with-arch=armv7-a
-%endif
-%endif
-# mitigation/workaround for bmo#1512162
-%ifarch s390x
-ac_add_options --enable-optimize="-O1"
-%endif
-%ifarch x86_64
-# LTO needs newer toolchain stack only (at least GCC 8.2.1 (r268506)
-%if 0%{?suse_version} > 1500 && 0%{?suse_version} < 1550
-ac_add_options --enable-lto
-%if 0%{?do_profiling}
-ac_add_options MOZ_PGO=1
-%endif
-%endif
-%endif
-EOF
-%if !%{with only_print_mozconfig}
-%if 0%{useccache} != 0
-ccache -s
-%endif
-%if 0%{?do_profiling}
-xvfb-run --server-args="-screen 0 1920x1080x24" \
-%endif
-./mach build -v
-
-# build additional locales
-%if %localize
-truncate -s 0 %{_tmppath}/translations.{common,other}
-# langpack-build can not be done in parallel easily (see https://bugzilla.mozilla.org/show_bug.cgi?id=1660943)
-# Therefore, we have to have a separate obj-dir for each language
-# We do this, by creating a mozconfig-template with the necessary switches
-# and a placeholder obj-dir, which gets copied and modified for each language
-
-# Create mozconfig-template for langbuild
-cat << EOF > ${MOZCONFIG}_LANG
-mk_add_options MOZILLA_OFFICIAL=1
-mk_add_options BUILD_OFFICIAL=1
-mk_add_options MOZ_OBJDIR=@TOPSRCDIR@/../obj_LANG
-. \$topsrcdir/browser/config/mozconfig
-ac_add_options --prefix=%{_prefix}
-ac_add_options --with-l10n-base=$RPM_BUILD_DIR/l10n
-ac_add_options --disable-updater
-%if %branding
-ac_add_options --enable-official-branding
-%endif
-EOF
-
-%ifarch %ix86
-%define njobs 1
-%else
-%define njobs 0%{?jobs:%jobs}
-%endif
-mkdir -p $RPM_BUILD_DIR/langpacks_artifacts/
-sed -r '/^(ja-JP-mac|ga-IE|en-US|)$/d;s/ .*$//' $RPM_BUILD_DIR/%{srcname}-%{orig_version}/browser/locales/shipped-locales \
- | xargs -n 1 %{?njobs:-P %njobs} -I {} /bin/sh -c '
- locale=$1
- cp ${MOZCONFIG}_LANG ${MOZCONFIG}_$locale
- sed -i "s|obj_LANG|obj_$locale|" ${MOZCONFIG}_$locale
- export MOZCONFIG=${MOZCONFIG}_$locale
- # nsinstall is needed for langpack-build. It is already built by `./mach build`, but building it again is very fast
- ./mach build config/nsinstall langpack-$locale
- cp -L ../obj_$locale/dist/linux-*/xpi/firefox-%{orig_version}.$locale.langpack.xpi \
- $RPM_BUILD_DIR/langpacks_artifacts/langpack-$locale@firefox.mozilla.org.xpi
- # check against the fixed common list and sort into the right filelist
- _matched=0
- for _match in ar ca cs da de el en-GB es-AR es-CL es-ES fi fr hu it ja ko nb-NO nl pl pt-BR pt-PT ru sv-SE zh-CN zh-TW; do
- [ "$_match" = "$locale" ] && _matched=1
- done
- [ $_matched -eq 1 ] && _l10ntarget=common || _l10ntarget=other
- echo %{progdir}/browser/extensions/langpack-$locale@firefox.mozilla.org.xpi \
- >> %{_tmppath}/translations.$_l10ntarget
-' -- {}
-%endif
-
-%if 0%{useccache} != 0
-ccache -s
-%endif
-%endif
-
-%install
-cd $RPM_BUILD_DIR/obj
-source %{SOURCE4}
-export MOZ_SOURCE_STAMP=$RELEASE_TAG
-export MOZ_SOURCE_REPO=$RELEASE_REPO
-# need to remove default en-US firefox-l10n.js before it gets
-# populated into browser's omni.ja; it only contains general.useragent.locale
-# which should be loaded from each language pack (set in firefox.js)
-rm dist/bin/browser/defaults/preferences/firefox-l10n.js
-make -C browser/installer STRIP=/bin/true MOZ_PKG_FATAL_WARNINGS=0
-#DEBUG (break the build if searchplugins are missing / temporary)
-grep amazondotcom dist/firefox/browser/omni.ja
-# copy tree into RPM_BUILD_ROOT
-mkdir -p %{buildroot}%{progdir}
-cp -rf $RPM_BUILD_DIR/obj/dist/%{srcname}/* %{buildroot}%{progdir}
-mkdir -p %{buildroot}%{progdir}/browser/extensions
-cp -rf $RPM_BUILD_DIR/langpacks_artifacts/* %{buildroot}%{progdir}/browser/extensions/
-mkdir -p %{buildroot}%{progdir}/distribution/extensions
-mkdir -p %{buildroot}%{progdir}/browser/defaults/preferences/
-# renaming executables (for regular vs. ESR)
-%if "%{srcname}" != "%{progname}"
-mv %{buildroot}%{progdir}/%{srcname} %{buildroot}%{progdir}/%{progname}
-mv %{buildroot}%{progdir}/%{srcname}-bin %{buildroot}%{progdir}/%{progname}-bin
-%endif
-# install gre prefs
-install -m 644 %{SOURCE13} %{buildroot}%{progdir}/defaults/pref/
-# install browser prefs
-install -m 644 %{SOURCE9} %{buildroot}%{progdir}/browser/defaults/preferences/firefox.js
-
-# remove some executable permissions
-find %{buildroot}%{progdir} \
- -name "*.js" -o \
- -name "*.jsm" -o \
- -name "*.rdf" -o \
- -name "*.properties" -o \
- -name "*.dtd" -o \
- -name "*.txt" -o \
- -name "*.xml" -o \
- -name "*.css" \
- -exec chmod a-x {} +
-# remove mkdir.done files from installed base
-find %{buildroot}%{progdir} -type f -name ".mkdir.done" -delete
-# overwrite the mozilla start-script and link it to /usr/bin
-mkdir --parents %{buildroot}/usr/bin
-sed "s:%%PREFIX:%{_prefix}:g
-s:%%PROGDIR:%{progdir}:g
-s:%%APPNAME:%{progname}:g
-s:%%WAYLAND_SUPPORTED:%{wayland_supported}:g
-s:%%PROFILE:.mozilla/firefox:g" \
- %{SOURCE3} > %{buildroot}%{progdir}/%{progname}.sh
-chmod 755 %{buildroot}%{progdir}/%{progname}.sh
-ln -sf ../..%{progdir}/%{progname}.sh %{buildroot}%{_bindir}/%{progname}
-# desktop file
-mkdir -p %{buildroot}%{_datadir}/applications
-sed "s:%%NAME:%{appname}:g
-s:%%EXEC:%{progname}:g
-s:%%ICON:%{progname}:g" \
- %{SOURCE1} > %{buildroot}%{_datadir}/applications/%{desktop_file_name}.desktop
-%suse_update_desktop_file %{desktop_file_name} Network WebBrowser GTK
-# additional mime-types
-mkdir -p %{buildroot}%{_datadir}/mime/packages
-cp %{SOURCE8} %{buildroot}%{_datadir}/mime/packages/%{progname}.xml
-# appdata
-mkdir -p %{buildroot}%{_datadir}/metainfo
-sed "s:firefox.desktop:%{desktop_file_name}:g" \
- %{SOURCE15} > %{buildroot}%{_datadir}/metainfo/%{desktop_file_name}.appdata.xml
-# install man-page
-mkdir -p %{buildroot}%{_mandir}/man1/
-cp %{SOURCE11} %{buildroot}%{_mandir}/man1/%{progname}.1
-# install GNOME Shell search provider
-mkdir -p %{buildroot}%{_datadir}/gnome-shell/search-providers
-cp %{SOURCE17} %{buildroot}%{_datadir}/gnome-shell/search-providers
-##########
-# ADDONS
-#
-mkdir -p %{buildroot}%{_datadir}/mozilla/extensions/%{firefox_appid}
-mkdir -p %{buildroot}%{_libdir}/mozilla/extensions/%{firefox_appid}
-# Install symbolic icon for GNOME
-%if %branding
-for size in 16 22 24 32 48 64 128 256; do
-%else
-for size in 16 32 48; do
-%endif
- mkdir -p %{buildroot}%{gnome_dir}/share/icons/hicolor/${size}x${size}/apps/
- cp %{buildroot}%{progdir}/browser/chrome/icons/default/default$size.png \
- %{buildroot}%{gnome_dir}/share/icons/hicolor/${size}x${size}/apps/%{progname}.png
-done
-# excludes
-rm -f %{buildroot}%{progdir}/updater.ini
-rm -f %{buildroot}%{progdir}/removed-files
-rm -f %{buildroot}%{progdir}/README.txt
-rm -f %{buildroot}%{progdir}/old-homepage-default.properties
-rm -f %{buildroot}%{progdir}/run-mozilla.sh
-rm -f %{buildroot}%{progdir}/LICENSE
-rm -f %{buildroot}%{progdir}/precomplete
-rm -f %{buildroot}%{progdir}/update-settings.ini
-%if 0%{?devpkg}
-# devel
-mkdir -p %{buildroot}%{_bindir}
-install -m 755 %SOURCE12 %{buildroot}%{_bindir}
-# inspired by mandriva
-mkdir -p %{buildroot}%{_rpmmacrodir}
-cat <<'FIN' >%{buildroot}%{_rpmmacrodir}/macros.%{progname}
-# Macros from %{name} package
-%%firefox_major %{major}
-%%firefox_version %{version}
-%%firefox_mainver %{mainver}
-%%firefox_mozillapath %%{_libdir}/%{progname}
-%%firefox_pluginsdir %%{_libdir}/mozilla/plugins
-%%firefox_appid \{ec8030f7-c20a-464f-9b0e-13a3a9e97384\}
-%%firefox_extdir %%(if [ "%%_target_cpu" = "noarch" ]; then echo %%{_datadir}/mozilla/extensions/%%{firefox_appid}; else echo %%{_libdir}/mozilla/extensions/%%{firefox_appid}; fi)
-
-%%firefox_ext_install() \
- extdir="%%{buildroot}%%{firefox_extdir}/`mozilla-get-app-id '%%1'`" \
- mkdir -p "$extdir" \
- %%{__unzip} -q -d "$extdir" "%%1" \
- %%{nil}
-FIN
-%endif
-# fdupes
-%fdupes %{buildroot}%{progdir}
-%fdupes %{buildroot}%{_datadir}
-
-%clean
-rm -rf %{buildroot}
-%if %localize
-rm -rf %{_tmppath}/translations.*
-%endif
-
-%post
-# update mime and desktop database
-%mime_database_post
-%desktop_database_post
-%icon_theme_cache_post
-exit 0
-
-%postun
-%icon_theme_cache_postun
-%desktop_database_postun
-%mime_database_postun
-exit 0
-
-%files
-%defattr(-,root,root)
-%dir %{progdir}
-%dir %{progdir}/browser/
-%dir %{progdir}/browser/chrome/
-%{progdir}/browser/defaults
-%{progdir}/browser/features/
-%{progdir}/browser/chrome/icons
-%{progdir}/browser/omni.ja
-%dir %{progdir}/distribution/
-%{progdir}/distribution/extensions/
-%{progdir}/defaults/
-%{progdir}/gmp-clearkey/
-%attr(755,root,root) %{progdir}/%{progname}.sh
-%{progdir}/%{progname}
-%{progdir}/%{progname}-bin
-%{progdir}/application.ini
-%{progdir}/dependentlibs.list
-%{progdir}/*.so
-%{progdir}/omni.ja
-%{progdir}/fonts/
-%{progdir}/pingsender
-%{progdir}/platform.ini
-%{progdir}/plugin-container
-%if %crashreporter
-%{progdir}/crashreporter
-%{progdir}/crashreporter.ini
-%{progdir}/Throbber-small.gif
-%{progdir}/minidump-analyzer
-%{progdir}/browser/crashreporter-override.ini
-%endif
-%{_datadir}/applications/%{desktop_file_name}.desktop
-%{_datadir}/mime/packages/%{progname}.xml
-%dir %{_datadir}/gnome-shell
-%dir %{_datadir}/gnome-shell/search-providers
-%{_datadir}/gnome-shell/search-providers/*.ini
-%dir %{_datadir}/mozilla
-%dir %{_datadir}/mozilla/extensions
-%dir %{_datadir}/mozilla/extensions/%{firefox_appid}
-%dir %{_libdir}/mozilla
-%dir %{_libdir}/mozilla/extensions
-%dir %{_libdir}/mozilla/extensions/%{firefox_appid}
-%{gnome_dir}/share/icons/hicolor/
-%{_bindir}/%{progname}
-%doc %{_mandir}/man1/%{progname}.1.gz
-%{_datadir}/metainfo/
-
-%if 0%{?devpkg}
-%files devel
-%defattr(-,root,root)
-%{_bindir}/mozilla-get-app-id
-%{_rpmmacrodir}/macros.%{progname}
-%endif
-
-%if %localize
-%files translations-common -f %{_tmppath}/translations.common
-%defattr(-,root,root)
-%dir %{progdir}
-%dir %{progdir}/browser/extensions/
-
-%files translations-other -f %{_tmppath}/translations.other
-%defattr(-,root,root)
-%dir %{progdir}
-%dir %{progdir}/browser/extensions/
-%endif
-
-# this package does not need to provide files but is needed to fulfill
-# requirements if no other branding package is to be installed
-%files branding-upstream
-%defattr(-,root,root)
-%dir %{progdir}
-
-%changelog
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/MozillaFirefox/mozilla-bmo1725828.patch Fri Oct 01 12:00:20 2021 +0200
@@ -0,0 +1,1 @@
+../mozilla-bmo1725828.patch
\ No newline at end of file
--- a/MozillaFirefox/mozilla-bmo531915.patch Mon Sep 06 12:03:54 2021 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,1 +0,0 @@
-../mozilla-bmo531915.patch
\ No newline at end of file
--- a/MozillaFirefox/mozilla.sh.in Mon Sep 06 12:03:54 2021 +0200
+++ b/MozillaFirefox/mozilla.sh.in Fri Oct 01 12:00:20 2021 +0200
@@ -88,7 +88,7 @@
WAYLAND_SUPPORTED=%WAYLAND_SUPPORTED
# $XDG_SESSION_TYPE should contain either x11 or wayland
-if [ $WAYLAND_SUPPORTED -eq 1 ] && [ "$XDG_SESSION_TYPE" = "wayland" ]; then
+if [ $WAYLAND_SUPPORTED -eq 1 ] && [ "$XDG_SESSION_TYPE" = "wayland" ] && [ -z "$MOZ_ENABLE_WAYLAND" ]; then
export MOZ_ENABLE_WAYLAND=1
fi
--- a/MozillaFirefox/tar_stamps Mon Sep 06 12:03:54 2021 +0200
+++ b/MozillaFirefox/tar_stamps Fri Oct 01 12:00:20 2021 +0200
@@ -1,10 +1,10 @@
PRODUCT="firefox"
-CHANNEL="esr91"
-VERSION="91.1.0"
-VERSION_SUFFIX="esr"
-PREV_VERSION="91.0.2"
+CHANNEL="release"
+VERSION="92.0.1"
+VERSION_SUFFIX=""
+PREV_VERSION="92.0"
PREV_VERSION_SUFFIX=""
#SKIP_LOCALES="" # Uncomment to skip l10n and compare-locales-generation
-RELEASE_REPO="https://hg.mozilla.org/releases/mozilla-esr91"
-RELEASE_TAG="d015edeaf1a75b6bd672f9f9a413251482b715d6"
-RELEASE_TIMESTAMP="20210901125518"
+RELEASE_REPO="https://hg.mozilla.org/releases/mozilla-release"
+RELEASE_TAG="d7bbc5812f7f36a9378165fffd7a058ddb0118ec"
+RELEASE_TIMESTAMP="20210922161155"
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/mozilla-bmo1725828.patch Fri Oct 01 12:00:20 2021 +0200
@@ -0,0 +1,555 @@
+# HG changeset patch
+# Parent 95d077d47f452a241c5826b5aea762b549bb24ff
+
+<!DOCTYPE html>
+<html lang='en'>
+<head>
+ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
+ <title>Tree - rpms/firefox - src.fedoraproject.org</title>
+ <link rel="shortcut icon" type="image/vnd.microsoft.icon"
+ href="/theme/static/favicon.ico?version=5.13.2"/>
+ <link href="/theme/static/fedora-bootstrap-1.3.0/fedora-bootstrap.min.css?version=5.13.2"
+ type="text/css" rel="stylesheet" />
+ <link href="/theme/static/fonts/fonts.css?version=5.13.2"
+ rel="stylesheet" type="text/css" />
+ <link href="/theme/static/fonts/hack_fonts/css/hack-extended.min.css?version=5.13.2"
+ type="text/css" rel="stylesheet" />
+ <link href="/theme/static/theme.css?version=5.13.2"
+ type="text/css" rel="stylesheet" />
+
+ <link type="text/css" rel="stylesheet" nonce="5VHCMUQ81dmw6zbPtdKqrXAJZ" href="/static/vendor/font-awesome/font-awesome.css?version=5.13.2"/>
+ <link type="text/css" rel="stylesheet" nonce="5VHCMUQ81dmw6zbPtdKqrXAJZ" href="/static/pagure.css?version=5.13.2"/>
+<link nonce="5VHCMUQ81dmw6zbPtdKqrXAJZ" rel="stylesheet" href="/static/vendor/highlight.js/styles/github.css?version=5.13.2"/>
+<link nonce="5VHCMUQ81dmw6zbPtdKqrXAJZ" rel="stylesheet" href="/static/vendor/highlightjs-line-numbers/highlightjs-line-numbers.min.css?version=5.13.2"/>
+<style nonce="5VHCMUQ81dmw6zbPtdKqrXAJZ">
+ .hljs {
+ background: #fff;
+ }
+</style>
+ </head>
+ <body id="home">
+
+ <!-- start masthead -->
+ <nav class="navbar navbar-light masthead p-0 navbar-expand">
+ <div class="container">
+ <a href="/" class="navbar-brand">
+ <img height=40px src="/theme/static/pagure-logo.png?version=5.13.2"
+ alt="pagure Logo" id="pagureLogo"/>
+ </a>
+ <ul class="navbar-nav ml-auto">
+
+
+
+ <li class="nav-item">
+ <a class="btn btn-primary" href="/login/?next=https://src.fedoraproject.org/rpms/firefox/blob/fc69159c16b8035abdc07e69134357970f6b516f/f/mozilla-1725828.patch">Log In</a>
+ </li>
+ </ul>
+ </div>
+ </nav>
+ <!-- close masthead-->
+
+ <div class="bodycontent">
+
+
+<div class="bg-light border border-bottom pt-3">
+ <div class="container">
+ <div class="row mb-3">
+ <div class="col-6">
+ <div class="row">
+ <div class="col-auto pr-0">
+ <h3>
+<i class="fa fa-archive text-muted"></i></h3>
+ </div>
+ <div class="col-auto pl-2">
+ <h3 class="mb-0">
+<a href="/projects/rpms/%2A">rpms</a> / <a href="/rpms/firefox"><strong>firefox</strong></a>
+ </h3>
+ </div>
+ </div>
+ </div>
+ <div class="col-6 text-right">
+ <div class="btn-group">
+ <div class="btn-group">
+ <a href="#"
+ class="btn btn-sm dropdown-toggle btn-outline-primary"
+ data-toggle="dropdown" id="watch-button">
+ <i class="fa fa-clone fa-fw"></i>
+ <span>Clone</span>
+ </a>
+ <div class="dropdown-menu dropdown-menu-right">
+ <div class="m-3" id="source-dropdown" class="pointer">
+ <div>
+ <h5><strong>Source Code</strong></h5>
+
+ <div class="form-group">
+ <div class="input-group input-group-sm">
+ <div class="input-group-prepend"><span class="input-group-text">GIT</span></div>
+ <input class="form-control bg-white select-on-focus" type="text" value="https://src.fedoraproject.org/rpms/firefox.git" readonly>
+ </div>
+ </div>
+ </div>
+ </div>
+ </div>
+
+ </div>
+ </div>
+ </div>
+</div>
+
+<ul class="nav nav-tabs nav-small border-bottom-0">
+ <li class="nav-item mr-2 text-dark">
+ <a class="nav-link active" href="/rpms/firefox">
+ <i class="fa fa-code fa-fw text-muted"></i>
+ <span class="d-none d-md-inline">Source</span>
+ </a>
+ </li>
+
+ <li class="nav-item mr-2 text-dark">
+ <a class="nav-link" href="https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&product=Fedora&product=Fedora EPEL&component=firefox">
+ <i class="fa fa-fw text-muted fa-exclamation-circle"></i>
+ <span class="d-none d-md-inline">Issues </span>
+ <span class="fa fa-external-link"></span>
+ </a>
+ </li>
+
+ <li class="nav-item mr-2 text-dark">
+ <a class="nav-link" href="/rpms/firefox/pull-requests">
+ <i class="fa fa-fw text-muted fa-arrow-circle-down"></i>
+ <span class="d-none d-md-inline">Pull Requests </span>
+ <span class="badge badge-secondary py-0 d-none d-md-inline">
+ 0
+ </span>
+ </a>
+ </li>
+
+
+ <li class="nav-item mr-2 text-dark">
+ <a class="nav-link" href="/rpms/firefox/stats">
+ <i class="fa fa-line-chart fa-fw text-muted"></i>
+ <span class="d-none d-md-inline">Stats</span>
+ </a>
+ </li>
+
+
+</ul>
+ </div>
+</div>
+
+<div class="container pt-5 repo-body-container">
+ <div class="row">
+ <div class="col-2">
+<nav class="nav nav-tabs nav-sidetabs flex-column">
+ <a class=
+ "nav-link nowrap
+"
+ href="/rpms/firefox">
+ <i class="fa fa-home text-muted fa-fw"></i> <span class="d-none d-md-inline">Overview</span>
+ </a>
+ <a class=
+ "nav-link nowrap
+ active"
+ href="/rpms/firefox/tree/fc69159c16b8035abdc07e69134357970f6b516f">
+ <i class="fa fa-file-code-o text-muted fa-fw"></i> Files
+ </a>
+ <a class=
+ "nav-link nowrap
+"
+ href="/rpms/firefox/commits/fc69159c16b8035abdc07e69134357970f6b516f">
+ <i class="fa fa-list-alt text-muted fa-fw" data-glyph="spreadsheet"></i> Commits
+ </a>
+ <a class=
+ "nav-link nowrap
+"
+ href="/rpms/firefox/branches?branchname=fc69159c16b8035abdc07e69134357970f6b516f">
+ <i class="fa fa-random text-muted fa-fw"></i> Branches
+ </a>
+ <a class=
+ "nav-link nowrap
+"
+ href="/rpms/firefox/forks">
+ <i class="fa fa-code-fork text-muted fa-fw"></i> Forks
+ </a>
+ <a class=
+ "nav-link nowrap
+"
+ href="/rpms/firefox/releases">
+ <i class="fa fa-tags text-muted fa-fw"></i> Releases
+ </a>
+
+ <div class="col-xs-2 line-height-1"></div>
+ <h6>Monitoring status:</h6>
+ <div class="btn-group">
+ <button title="Monitoring status" class="btn btn-sm btn-outline-primary disabled"
+ id="monitoring-button">
+ <i id="monitoring-icon" class="fa fa-fw fa-eye"></i>
+ <span id="monitoring-label" class="fa fa-circle-o-notch fa-spin fa-1x fa-fw"></span>
+ </button>
+ </div>
+
+ <div class="col-xs-2 line-height-1"></div>
+ <div id="orphan-section" class="pt-3">
+ <div class="col-xs-2 line-height-1"></div>
+
+ </div>
+
+ <div class="pt-3">
+ <div class="col-xs-2 line-height-1">
+ <h6>Bugzilla Assignee:</h6>
+ <dl>
+ <dt>Fedora: </dt>
+ <dd id="fedora_assignee_txt">
+ gecko-maint
+ </dd>
+ <dt>EPEL: </dt>
+ <dd id="epel_assignee_txt">
+ gecko-maint
+ </dd>
+ </dl>
+ </div>
+ </div>
+
+ <div class="modal fade" id="modal_assignee" tabindex="-1"
+ role="dialog" aria-labelledby="Bugzilla assignee" aria-hidden="true">
+ <div class="modal-dialog" role="document">
+ <div class="modal-content">
+ <div class="modal-header">
+ <h4 class="modal-title">Bugzilla Assignee</h4>
+ <button type="button" class="close" data-dismiss="modal" aria-label="Close">
+ <span aria-hidden="true">×</span>
+ <span class="sr-only">Close</span>
+ </button>
+ </div>
+ <form id="change_assignees">
+ <div class="modal-body">
+ <label for="fedora_assignee">Fedora</label>
+ <input title="Default assignee for Fedora in bugzilla - Empty input resets to default"
+ class="form-control" name="fedora_assignee" id="fedora_assignee" value="gecko-maint"/>
+ <label for="epel_assignee">EPEL</label>
+ <input title="Default assignee for EPEL in bugzilla (if applicable) - Empty input resets to default"
+ class="form-control" name="epel_assignee" id="epel_assignee" value="gecko-maint" />
+ <p class="pt-2">
+ These two fields allow to specify a different default assignee for ticket opened against
+ this package in bugzilla. Note: The EPEL field is
+ always displayed for packages in the 'rpms' namespace regardless of whether it
+ is used in bugzilla or not. </p>
+ </div>
+ <div class="modal-footer">
+ <button class="btn btn-secondary" type="button" title="Update bugzilla overrides" id="reset_assignees">
+ Reset to defaults
+ </button>
+ <button class="btn btn-primary" type="submit" title="Update bugzilla overrides" id="update_assignees">
+ Update
+ </button>
+ </div>
+ </form>
+ </div>
+ </div>
+ </div>
+
+ <div class="modal fade" id="modal_orphan" tabindex="-1"
+ role="dialog" aria-labelledby="Orphan this package" aria-hidden="true">
+ <div class="modal-dialog" role="document">
+ <div class="modal-content">
+ <div class="modal-header">
+ <h4 class="modal-title">Orphan package</h4>
+ <button type="button" class="close" data-dismiss="modal" aria-label="Close">
+ <span aria-hidden="true">×</span>
+ <span class="sr-only">Close</span>
+ </button>
+ </div>
+ <div class="modal-body">
+ <div class="form-group">
+ <label for="reason_menu">Reason</label>
+ <select id="reason_menu" class="form-control">
+
+ <option id="lack_of_time_option_button">Lack of time</option>
+
+ <option id="do_not_use_it_option_button">Do not use it anymore</option>
+
+ <option id="unmaintained_option_button">Unmaintained upstream</option>
+
+ <option id="fails_to_build_option_button">Fails to build from source</option>
+
+ <option id="not_fixed_option_button">Important bug not fixed</option>
+
+ <option id="other_option_button">Other</option>
+ </select>
+ </div>
+ <label for="orphan_reason_info">Additional info</label>
+ <input title="Additional info for orphaning reason"
+ class="form-control" name="orphan_reason_info" id="orphan_reason_info" value=""/>
+ </div>
+ <div class="modal-footer">
+ <button class="btn btn-primary" type="submit" title="Orphan this package" id="orphan_button">
+ Update
+ </button>
+ </div>
+ </div>
+ </div>
+ </div>
+
+ <script type="text/javascript" nonce="5VHCMUQ81dmw6zbPtdKqrXAJZ">
+ window.addEventListener('load', function() {
+ set_up_monitoring = function(status){
+ var _label = "Disabled"
+ if (status === "monitoring") {
+ _label = "Monitoring";
+ $("#monitoring-icon").attr("class", "fa fa-fw fa-eye")
+ } else if (status === "monitoring-with-scratch") {
+ _label = "Scratch builds"
+ $("#monitoring-icon").attr("class", "fa fa-fw fa-eye")
+ } else {
+ $("#monitoring-icon").attr("class", "fa fa-fw fa-eye-slash")
+ }
+
+ $("#monitoring-label").text(_label);
+ $("#monitoring-label").removeClass("fa fa-circle-o-notch fa-spin fa-1x fa-fw");
+ }
+
+ $.ajax({
+ url: "/_dg/anitya/rpms/firefox",
+ type: 'GET',
+ dataType: 'json',
+ success: function(res) {
+ console.log(res);
+ set_up_monitoring(res.monitoring)
+ }
+ });
+
+
+ $("#reset_assignees").on('click', function(){
+ $('#fedora_assignee').val('');
+ $('#epel_assignee').val('');
+ $("#change_assignees").submit();
+ return false;
+ });
+
+ $("#change_assignees").on('submit', function(){
+ $('html').css('cursor', 'progress');
+ $('#reset_assignees').attr('disabled', true);
+ $('#update_assignees').attr('disabled', true);
+ $('#update_assignees').text('Updating...');
+ $.ajax({
+ url: "/_dg/bzoverrides/rpms/firefox",
+ type: 'POST',
+ dataType: 'json',
+ data: {
+ 'epel_assignee': $('#epel_assignee').val(),
+ 'fedora_assignee': $('#fedora_assignee').val()
+ },
+ success: function(res) {
+ $("#fedora_assignee_txt").text(res.fedora_assignee);
+ $("#epel_assignee_txt").text(res.epel_assignee);
+ $('#modal_assignee').modal('hide');
+ $('#reset_assignees').attr('disabled', false);
+ $('#update_assignees').attr('disabled', false);
+ $('#update_assignees').text('Update');
+ $('html').css('cursor', 'default');
+ console.log("Successfully changed the bugzilla assignees");
+ return false;
+ },
+ error: function(res) {
+ var msg = '';
+ if(res.responseJSON.errors){
+ msg = ': ' + res.responseJSON.errors.join(', ');
+ }
+ alert("Unable to update the bugzilla assignee(s)" + msg);
+ $('html').css('cursor', 'default');
+ $('#reset_assignees').attr('disabled', false);
+ $('#update_assignees').attr('disabled', false);
+ $('#update_assignees').text('Update');
+ return false;
+ }
+ })
+ return false;
+ });
+
+
+ $.ajax({
+ url: "/_dg/actived/rpms/firefox",
+ type: 'GET',
+ dataType: 'json',
+ success: function(res) {
+ var _btn = $("#take_orphan_button");
+ if (!res.active){
+ _btn.off("click");
+ _btn.click(function(){
+ window.open(
+ "https://pagure.io/releng/new_issue?title="
+ + "Unretire rpms/firefox"
+ + "&template=package_unretiremet");
+ });
+ _btn.prop( "title", "Package retired - Open a releng ticket to adopt it" );
+ _btn.html("Retired");
+ }
+ _btn.removeClass('disabled');
+ }
+ });
+
+ $("#orphan_button").click(function(){
+ $("#orphan_button").attr("disabled", true);
+ $.ajax({
+ url: "/_dg/orphan/rpms/firefox",
+ type: 'POST',
+ dataType: 'json',
+ data: {
+ 'orphan_reason': $('#reason_menu').val(),
+ 'orphan_reason_info': $('#orphan_reason_info').val()
+ },
+ success: function(res) {
+ $("#point_of_contact_div").html("Package is currently unmaintained");
+ $("#orphan_button").attr("disabled", false);
+ $('#modal_orphan').modal('hide');
+ $('#orphan-section').html('');
+ },
+ error: function(res) {
+ if (res.responseJSON.errors) {
+ alert('Unable to orphan the package: ' + res.responseJSON.errors);
+ } else {
+ alert('Unable to orphan the package: ' + res.responseJSON.error);
+ }
+ $("#orphan_button").attr("disabled", false);
+ }
+ });
+ });
+ });
+ </script>
+
+</nav> </div>
+ <div class="col-10">
+ <div class="row mb-1">
+ <div class="col-sm-6">
+ <h3>
+ Files
+ </h3>
+ </div>
+
+ <div class="col-sm-6">
+ <div class="float-right">
+ <a href="#" class="btn btn-outline-light border-secondary text-dark btn-sm"
+ aria-haspopup="true" aria-expanded="false">
+ Commit: <span class="font-weight-bold">fc69159c16b8035abdc07e69134357970f6b516f</span>
+ </a>
+ </div>
+ </div>
+ </div>
+ <div class="card mb-3">
+ <div class="card-header">
+ <ol class="breadcrumb p-0 bg-transparent mb-0">
+ <li class="breadcrumb-item">
+ <a href="/rpms/firefox/tree/fc69159c16b8035abdc07e69134357970f6b516f">
+ <span class="fa fa-random">
+ </span> fc69159c16b8035abdc07e69134357970f6b516f
+ </a>
+ </li>
+ <li class="active breadcrumb-item">
+ <span class="fa fa-file" data-glyph="">
+ </span> mozilla-1725828.patch
+ </li>
+ </ol>
+ </div>
+
+ <div class="card-body p-0">
+ <div class="bg-light border text-right pr-2">
+ <form class="btn btn-sm" method="POST" name="fork_project"
+ action="/fork_edit/rpms/firefox/edit/fc69159c16b8035abdc07e69134357970f6b516f/f/mozilla-1725828.patch">
+ <button class="btn btn-sm btn-secondary fork_project_btn">
+ Fork and Edit
+ </button>
+
+ </form>
+
+ <a class="btn btn-secondary btn-sm" href="/rpms/firefox/blob/fc69159c16b8035abdc07e69134357970f6b516f/f/mozilla-1725828.patch" title="View as blob">Blob</a>
+
+ <a class="btn btn-secondary btn-sm" href="/rpms/firefox/blame/mozilla-1725828.patch?identifier=fc69159c16b8035abdc07e69134357970f6b516f" title="View git blame">Blame</a>
+
+ <a class="btn btn-secondary btn-sm" href="/rpms/firefox/history/mozilla-1725828.patch?identifier=fc69159c16b8035abdc07e69134357970f6b516f" title="View git log for this file">History</a>
+
+ <a class="btn btn-secondary btn-sm" href="/rpms/firefox/raw/fc69159c16b8035abdc07e69134357970f6b516f/f/mozilla-1725828.patch" title="View as raw">Raw</a>
+ </div>
+
+ <pre class="syntaxhighlightblock"><code class="lang-diff">diff -up firefox-92.0/dom/media/gmp/GMPChild.cpp.1725828 firefox-92.0/dom/media/gmp/GMPChild.cpp
+
+diff --git a/dom/media/gmp/GMPChild.cpp b/dom/media/gmp/GMPChild.cpp
+--- a/dom/media/gmp/GMPChild.cpp
++++ b/dom/media/gmp/GMPChild.cpp
+@@ -227,18 +227,24 @@ mozilla::ipc::IPCResult GMPChild::RecvPr
+ .EqualsASCII(lib.Data(), lib.Length())) {
+ LoadLibraryW(char16ptr_t(whiteListedLib));
+ break;
+ }
+ }
+ }
+ #elif defined(XP_LINUX)
+ constexpr static const char* whitelist[] = {
++ // NSS libraries used by clearkey.
+ "libfreeblpriv3.so",
+ "libsoftokn3.so",
++ // glibc libraries merged into libc.so.6; see bug 1725828 and
++ // the corresponding code in GMPParent.cpp.
++ "libdl.so.2",
++ "libpthread.so.0",
++ "librt.so.1",
+ };
+
+ nsTArray<nsCString> libs;
+ SplitAt(", ", aLibs, libs);
+ for (const nsCString& lib : libs) {
+ for (const char* whiteListedLib : whitelist) {
+ if (lib.EqualsASCII(whiteListedLib)) {
+ auto libHandle = dlopen(whiteListedLib, RTLD_NOW | RTLD_GLOBAL);
+@@ -251,17 +257,17 @@ mozilla::ipc::IPCResult GMPChild::RecvPr
+ if (error) {
+ // We should always have an error, but gracefully handle just in
+ // case.
+ nsAutoCString nsError{error};
+ CrashReporter::AppendAppNotesToCrashReport(nsError);
+ }
+ // End bug 1698718 logging.
+
+- MOZ_CRASH("Couldn't load lib needed by NSS");
++ MOZ_CRASH("Couldn't load lib needed by media plugin");
+ }
+ }
+ }
+ }
+ #endif
+ return IPC_OK();
+ }
+
+diff --git a/dom/media/gmp/GMPParent.cpp b/dom/media/gmp/GMPParent.cpp
+--- a/dom/media/gmp/GMPParent.cpp
++++ b/dom/media/gmp/GMPParent.cpp
+@@ -868,18 +868,31 @@ RefPtr<GenericPromise> GMPParent::ParseC
+ mLibs = "dxva2.dll"_ns;
+ #endif
+ } else {
+ GMP_PARENT_LOG_DEBUG("%s: Unrecognized key system: %s, failing.",
+ __FUNCTION__, mDisplayName.get());
+ return GenericPromise::CreateAndReject(NS_ERROR_FAILURE, __func__);
+ }
+
++#ifdef XP_LINUX
++ // These glibc libraries were merged into libc.so.6 as of glibc
++ // 2.34; they now exist only as stub libraries for compatibility and
++ // newly linked code won't depend on them, so we need to ensure
++ // they're loaded for plugins that may have been linked against a
++ // different version of glibc. (See also bug 1725828.)
++ if (!mDisplayName.EqualsASCII("clearkey")) {
++ if (!mLibs.IsEmpty()) {
++ mLibs.AppendLiteral(", ");
++ }
++ mLibs.AppendLiteral("libdl.so.2, libpthread.so.0, librt.so.1");
++ }
++#endif
++
+ GMPCapability video;
+-
+ nsCString codecsString = NS_ConvertUTF16toUTF8(m.mX_cdm_codecs);
+ nsTArray<nsCString> codecs;
+ SplitAt(",", codecsString, codecs);
+
+ // Parse the codec strings in the manifest and map them to strings used
+ // internally by Gecko for capability recognition.
+ //
+ // Google's code to parse manifests can be used as a reference for strings
--- a/mozilla-bmo531915.patch Mon Sep 06 12:03:54 2021 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,29 +0,0 @@
-# HG changeset patch
-# User Wolfgang Rosenauer <wr@rosenauer.org>
-# Parent 7332dfc4c47d73f1b88850b7727d33096d68e329
-
-diff --git a/modules/fdlibm/src/math_private.h b/modules/fdlibm/src/math_private.h
---- a/modules/fdlibm/src/math_private.h
-+++ b/modules/fdlibm/src/math_private.h
-@@ -25,17 +25,21 @@
-
- #include "mozilla/EndianUtils.h"
-
- /*
- * Emulate FreeBSD internal double types.
- * Adapted from https://github.com/freebsd/freebsd-src/search?q=__double_t
- */
-
-+#ifdef __i386__
-+typedef long double __double_t;
-+#else
- typedef double __double_t;
-+#endif
- typedef __double_t double_t;
-
- /*
- * The original fdlibm code used statements like:
- * n0 = ((*(int*)&one)>>29)^1; * index of high word *
- * ix0 = *(n0+(int*)&x); * high word of x *
- * ix1 = *((1-n0)+(int*)&x); * low word of x *
- * to dig two 32 bit words out of the 64 bit IEEE floating point
--- a/series Mon Sep 06 12:03:54 2021 +0200
+++ b/series Fri Oct 01 12:00:20 2021 +0200
@@ -5,7 +5,6 @@
mozilla-aarch64-startup-crash.patch
mozilla-sandbox-fips.patch
mozilla-fix-aarch64-libopus.patch
-#mozilla-disable-wasm-emulate-arm-unaligned-fp-access.patch
mozilla-s390-context.patch
mozilla-pgo.patch
mozilla-reduce-rust-debuginfo.patch
@@ -25,7 +24,7 @@
mozilla-libavcodec58_91.patch
mozilla-bmo1708709.patch
mozilla-silence-no-return-type.patch
-mozilla-bmo531915.patch
+mozilla-bmo1725828.patch
# Firefox patches
firefox-kde.patch